On September 5th-6th, during the Bitcoin emBassy Hackathon, myself and Michael Maltsev developed BitSniff - a tool for detecting Bitcoin-related communications in encrypted traffic. Today we release an updated and more stable version of it. You can check the interactive demo or clone the GitHub repository to use it yourself.
The following is the project write-up, focused on motivation and methodology.
Pretty obvious traffic analysis. But always nice to see someone do the work to make it real.
Need more mixnet/onion schemes with high latency cover traffic to defeat traffic analysis. Not a hard problem to solve at all; just needs to be done by someone. https://t.co/MUuixLhhhQ
Interesting article covering their methodology. Obviously port 8333 is a dead giveaway but hiding traffic over a VPN or TOR is no longer sufficient due to the statistical nature of how blocks are handled.
It's actually pretty clever. They look and see if encrypted network traffic spikes around the same time as new blocks being found. If there are frequent spikes around the time blocks are found, it probably means the encrypted traffic is going to a bitcoin node.
But you could defeat this really easily. Just create random similar spikes in traffic between blocks? I mean it would be enough just to run multiple nodes for a few different cryptos on the same connection
That wouldn't affect a correlation z-score in any significant way, that's one of the reasons correlation is not sufficient, but z-score is. You need orders of magnitude more volume, and with high frequency, to effectively mask the communications. Then it pushes the detection horizon by quite a bit - but it's not free to do.
On September 5th-6th, during the Bitcoin emBassy Hackathon in Tel Aviv, myself and my friend developed BitSniff - a tool for detecting Bitcoin-related communications in encrypted traffic. We got 2nd place with it. Today we released an updated and more stable version, as well as a write-up focused on motivation and methodology.
TLDR: traffic shape statistical analysis most likely allows ISP/governments to detect Bitcoin nodes even behind whatever communications encryption, may be applied on historical data, several hours of traffic are enough.
You seemed to discount vpns due to your time series, but this is a very limited view of what vpns are capable of.
1. With traffic shaping, blocks could be allowed to trickle keeping bitcoind just a couple hours behind.
2. bitcoind can be set to listen on vpn interface only without upstream route, allowing only connections to a mirrored daemon on other side. This would allow manual control of sync when necessary.
Lastly, you guys should make mention of the blockstream satellite, which was basically created to solve this sort of problem.
Hey, co-author here.
1. We don't consider keeping a node behind to be a solution as it's not general - it both beats most use cases for having a node in a first place, and is very unhealthy for the network.
2. Kinda complicated setup, not sure what the traffic shape and limitations are, so can't comment.
3. You're totally right, Blockstream Satellite fixes this. It's definitely not for everyone, but I'll add it to the write-up, thanks.