Bitcoin - fun, profit and anonymity on the wire - part 1

Bitcoin - fun, profit and anonymity on the wire. A brief analysis of the BitCoin network.

Already know what Bitcoin is? Consider yourself a 1337 hax0r? Click here to skip the introduction!

What are Bitcoins?

For those who aren't familiar with Bitcoin it is a relatively new virtual currency which provides consumers with a method to pay for goods and services anonymously. It's anonymous for one simple reason: Bitcoins cannot be tracked. This is bound to make the tax man unhappy and numerous arguments have been put forth regarding the legality of such a currency. Jason Calacanis of LAUNCH calls Bitcoin "the most dangerous technological project since the internet itself" and much bickering ensued.

Alarmist propaganda aside, you might be thinking "that's great, but how do I get my hands on this fantastic currency that protects my privacy?" Well, you can make your own Bitcoins, but don't bother as you're way too late to the party. Generating Bitcoins, a process known as "Bitcoin mining" or simply "mining," is computationally expensive and becomes more expensive as more Bitcoins are generated. In layman's terms: for the average home user your power bill will be larger than the balance of your Bitcoin wallet. The geeks who are going to make money from mining Bitcoins already have. Besides, the members of the Bitcoin community are anarchist/conspiracy theorist/gold standard weenies and you're not a weenie, are you?

All aboard the bandwagon

It may be too late for you to make money by Bitcoin mining but you can still make real money by jumping on the bandwagon like many before you. There's Bitcoin exchanges which allow users to trade US Dollars for Bitcoins and vice-versa, such as Mt Gox Bitcoin Exchange and GLobal Bitcoin Stock Exchange (GLBSE). A number of companies already accept Bitcoins as payment and there's even a Bitcoin-based Casino MMORPG should you feel like gambling away your virtual monies.

Losing your wallet

Bitcoin loss is irreversable. If you lose your wallet, you lose your Bitcoins. jaysonelliot summed it up nicely: "this means that losing data from your hard drive is equivalent to losing your bank account."

If you leave your computer unlocked then anyone with a USB drive could steal your wallet with autorun and a two line bash script in less than 30 seconds. Granted, if someone with malicious intent is hanging around your computer waiting for you to turn your back then you've got bigger problems - USB Switchblade anyone?

So what?

So far we've established:

No surprises there. Let's take a deeper look into the network which powers "The Next Big Thing" and the weenies who use it.

Who is using bitcoin?

Taking a look through the source code for the Bitcoin client reveals IRC bootstrapping is used for peer discovery. Lines 265 - 275 from irc.cpp shows irc.lfnet.org:6667 is Bitcoin's base of operations. Around line 350 we can see that #bitcoin is the channel used and the Bitcoin client initiates peer discovery by immediately issuing a "WHO #bitcoin" command:

Connecting to the server we see that there's ~8000 users and the developers' IRC daemon of choice is hybrid IRC version 7.2.3.

MOTD (edited for brevity):

One of the first things I noticed upon joining #bitcoin is that the hostnames are not cloaked/masked. This makes sense as if the hosts were masked then IRC simply wouldn't work as a method for peer discovery.

As an interesting side note: this may allow you to decloak a Bitcoin user chatting on an IRC server which uses cloaking by cross-referencing the hosts on the two networks. Obviously this only applies if you know the person uses Bitcoin.

Let's harvest some hosts!

I enabled logging in irssi and threw the following bash scripts together:

These were the results after logging the channel for about four days:

Interesting Hosts

It's important to note that I didn't perform a nslookup for any of the addresses. As a result there are (most likely) many interesting hostnames which have been missed.

The .gov hosts are as follows:

There were approximately 1,000 .edu hosts discovered during the four day period. Are these institutions partaking in Bitcoin mining or perhaps computer science geeks are (ab)using network resources?

Hosts matching "mail" are mail servers in some instances. These may be compromised hosts however it's more likely that they're network gateways in the DMZ.

Chances are the hosts matching "dsl" are home ADSL users using SOHO routers. Some of these hosts (approximately 500) have port 80 open.

Why do I care who is using Bitcoin?

If you're a network administrator and you've spotted a spike in IRC traffic, chances are you have some form of malware connecting back to a botnet command and control server, someone is chatting on IRC instead of working, or someone is (ab)using your network's computation power to mine Bitcoins. That said, connecting to the irc.lfnet.org:6667 IRC network is indicative of Bitcoin usage and not necessarily Bitcoin mining. If you think it's the latter then check your network for Bitcoin traffic (ports 8332 and 8333 by default.)

If you're a malicious hacker then maybe you want to "earn" yourself some Bitcoins. You already have a list of possible targets. Untraceable, free money awaits you.

Rogue Clients

Who else is poking around? Diving back into the source (around lines 300 - 330 this time) it's clear that the user's real name should match their nickname or username. By default the realname and nickname match, however the Bitcoin client will generate a new nickname if it's already taken. For those who are unfamiliar with IRC, the user's real name is the name provided by their IRC client (the Bitcoin client in this case) and usually does not reflect their actual name.

Unfortunately the previous method of harvesting hosts is simply too inefficient to harvest users' real names, so I dropped a simple python IRC bot in the channel to send "WHO " requests for each user that joins the channel, then write the users' real name, nickname, and host to file. The source is available here: bitmon.py

I also modified extract-hosts to reflect the changes to the host address format:

Note that this method is far more aggressive than idling and passively harvesting addresses.

Where do we go from here?

I'm still in the process of collecting data. Stay tuned for part two in which I'll expand upon the statistics by exploring some of the hosts in more detail.

Denial of Service

Interestingly, using an IRC server centralizes a decentralized network, making it susceptible to denial of service attacks. I'm lead to believe there's hard-coded nodes which are used as a fallback for peer discovery should the IRC server fail, however I haven't looked into it. I'll leave this as an exercise for the reader for now, however I may revisit this feature in the future.

A quick scan of the source code (using the "extract-ips" tool from the Jeriko Framework) reveals the following hard-coded IP addresses (false positives have been removed):

Appendix

Bitcoin

bitmon.py [Source]

Bitcoin protocol specification

Securing your wallet

Bitcoin Source