BitSniff - detecting bitcoin traffic behind encryption

[79jke]

On September 5th-6th, during the Bitcoin emBassy Hackathon in Tel Aviv, myself and my friend developed BitSniff - a tool for detecting Bitcoin-related communications in encrypted traffic. We got 2nd place with it. Today we released an updated and more stable version, as well as a write-up focused on motivation and methodology. 

The write-up:
https://79jke.github.io/BitSniff/

Interactive demo:
https://m417z.com/bitsniff/

Clone our repository to use it yourself:
https://github.com/m417z/bitsniff

TLDR: traffic shape statistical analysis most likely allows ISP/governments to detect Bitcoin nodes even behind whatever communications encryption, may be applied on historical data, several hours of traffic are enough.

[1715414085]

1715414085

[1715414085]

1715414085

[1715414085]

1715414085

[DaveF]

Not sure if this should be discussed here or in the Development & Technical Discussion board or some other board.

According to your write up, the blips when a block is found are somewhat of a giveaway to the fact that you are running a node. You also state that generating enough other traffic will shield you.

Now assuming you didn't throw a flag when doing your initial 200+GB sync do you feel normal bittorrent traffic would be enough to shield you?

-Dave

[79jke]

As long as both upstream and downstream are constantly shielded by some high frequency, high volume communications, yeah, probably, or at least the amount of recorded traffic needed for detection by this technique will be north of multiple days.
But any holes in that shielding reduce the effectiveness by quite a lot, so running bittorent "most of the time" the node is up is not enough - it has to be "all the time".

[stompix]

Every time you use software that interacts with a Bitcoin network, and especially a Bitcoin node, you leave a sticky fingerprint in your traffic. It comes in the form of a small, but unavoidable spike in volume every time a new block is mined and the nodes start gossiping about it.

Spike?
I leave my utorrent always on, I have a 20Mbit upload speed, that's enough to send 3 blocks per second.
Block timestamps are also quite random, you will need days of monitoring if somebody else is using the connection for browsing things and is turning the node offline shen he sleeps.

The blocks in Bitcoin are quite big, and the propagation speed is critical for consensus (greater delay means more frequent accidental forks), so such effect is predictable, and, in a sense, inherent to the Bitcoin architecture.

Same as above..

Now, since you mentioned ISP would be using this to detect bitcoin traffic.
Wouldn't they fare much better by running multiple clients and comparing the IP logs?
I mean, what's the chance of a user having a skype conversation with 20 people running a node?  
Just asking!

LE:
And yeah, move it to a more suitable board, it will get drown in a sea of useless topics here.

[79jke]

Every time you use software that interacts with a Bitcoin network, and especially a Bitcoin node, you leave a sticky fingerprint in your traffic. It comes in the form of a small, but unavoidable spike in volume every time a new block is mined and the nodes start gossiping about it.

Spike?
I leave my utorrent always on, I have a 20Mbit upload speed, that's enough to send 3 blocks per second.
Block timestamps are also quite random, you will need days of monitoring if somebody else is using the connection for browsing things and is turning the node offline shen he sleeps.

The blocks in Bitcoin are quite big, and the propagation speed is critical for consensus (greater delay means more frequent accidental forks), so such effect is predictable, and, in a sense, inherent to the Bitcoin architecture.

Same as above..

Now, since you mentioned ISP would be using this to detect bitcoin traffic.
Wouldn't they fare much better by running multiple clients and comparing the IP logs?
I mean, what's the chance of a user having a skype conversation with 20 people running a node?  
Just asking!

LE:
And yeah, move it to a more suitable board, it will get drown in a sea of useless topics here.

Multiple days of monitoring is not an unreasonable assumption about ISP, and having 20Mbit upload speed is not always a reasonable assumption about Bitcoin node. Many nodes are dedicated machines, and probably the percentage will go up with Casa Nodes, BTCPay servers and so on. Many nodes run on low bandwidth, many among them in countries that may not particularly like Bitcoin.
Regardless, the message here is that encryption alone isn't enough if you are very concerned about your node privacy. Running over Tor / VPN should also answer your second question regarding IP logs - that wouldn't work.

[stompix]

Multiple days of monitoring is not an unreasonable assumption about ISP, and having 20Mbit upload speed is not always a reasonable assumption about Bitcoin node.

15-25 Mbit is the average upload speed for low-medium packages around Western Europe and Central Europe.

Many nodes are dedicated machines, and probably the percentage will go up with Casa Nodes, BTCPay servers and so on. Many nodes run on low bandwidth, many among them in countries that may not particularly like Bitcoin.

Again, allow me to disagree

GLOBAL NODES DISTRIBUTION
9420 nodes as of Fri Oct 11 2019
1. United States (2394)2. Germany (1897)3. France (622)4. Netherlands (490)5. Singapore (339)6. United Kingdom (318)7. Canada (317)8. China (316)9. Russian Federation (237)10. Japan (196)

Also, I'm willing to bet ISPs or governments will wage a war on tor and VPN services before tackling bitcoin nodes.
And even so, we could still resort to running nodes from Mcdonalds 

Anyhow, I understand what you're trying to prove, the fact is that I disagree with the methods ISPs might try to trace us to start a blockade and the fact that there will ever be a war. And that's why we're on a discussion forum, right?