Tor is susceptible to traffic correlation attacks in which an adversary who observes flows entering and leaving the anonymity network can apply statistical techniques to correlate flows and de-anonymize their endpoints. While an adversary may not be naturally positioned to conduct such attacks, a recent study shows that the Internet’s control-plane can be manipulated to increase an adversary’s view of the network, and consequently, improve its ability to perform traffic correlation. This paper explores, in-depth, the effects of control-plane attacks on the security of the Tor network. Using accurate models of the live Tor network, we quantify Tor’s susceptibility to these attacks by measuring the fraction of the Tor network that is vulnerable and the advantage to the adversary of performing the attacks. We further propose defense mechanisms that protect Tor users from manipulations at the control-plane. Perhaps surprisingly, we show that by leveraging existing trust anchors in Tor, defenses deployed only in the data-plane are sufficient to detect most control-plane attacks. Our defenses do not assume the active participation of Internet Service Providers, and require only very small changes to Tor. We show that our defenses result in a more than tenfold decrease in the effectiveness of certain control-plane attacks.
 I. C. Avramopoulos and J. Rexford. Stealth Probing: Efficient Data- Plane Security for IP Routing. In USENIX Annual Technical Conference (USENIX-ATC), 2006.
 D. L. Chaum. Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. Communications of the ACM, 24(2):84-90, 1981.
 S. P. Chung and A. K. Mok. Allergy Attack against Automatic Signature Generation. In International Symposium on Recent Advances in Intrusion Detection (RAID), 2006.
 CIDR Report 18 Aug 2015. http://www.cidr-report.org/as2.0/.
 R. Dingledine, N. Mathewson, and P. Syverson. Tor: The Second- Generation Onion Router. In USENIX Security Symposium (USENIX), August 2004.
 R. Dingledine, N. Hopper, G. Kadianakis, and N. Mathewson. One Fast Guard for Life (or 9 Months). In Privacy Enhancing Technologies Symposium (PETS), 2014.
 K. P. Dyer, S. E. Coull, T. Ristenpart, and T. Shrimpton. Protocol Misidentification Made Easy with Format-Transforming Encryption. In ACM Conference on Computer and Communications Security (CCS), 2013.
 M. Edman and P. Syverson. AS-Awareness in Tor Path Selection. In ACM Conference on Computer and Communications Security (CCS), 2009.
 T. Elahi, K. Bauer, M. AlSabah, R. Dingledine, and I. Goldberg. Changing of the Guards: A Framework for Understanding and Improving Entry Guard Selection in Tor. In ACM Workshop on Privacy in the Electronic Society (WPES), 2012.
 N. Feamster and R. Dingledine. Location Diversity in Anonymity Networks. In ACM Workshop on Privacy in the Electronic Society (WPES), 2004.
 D. Fifield. meek. https://trac.torproject.org/projects/tor/wiki/doc/meek.
 P. Francis, S. Jamin, C. Jin, Y. Jin, D. Raz, Y. Shavitt, and L. Zhang. IDMaps: A Global Internet Host Distance Estimation Service. IEEE/ACM Transactions on Networking, 9(5):525-540, 2001.
 L. Gao. On Inferring Autonomous System Relationships in the Internet. IEEE/ACM Transactions on Networking (ToN), 9(6):733-745, 2001.
 S. Hahn and K. Loesing. Privacy-preserving Ways to Estimate the Number of Tor Users. Technical Report 2010-11-001, Tor Project, November 2010.
 A. Houmansadr and N. Borisov. SWIRL: A Scalable Watermark to Detect Correlated Network Flows. In Network and Distributed System Security Symposium (NDSS), 2011.
 A. Houmansadr, C. Brubaker, and V. Shmatikov. The Parrot is Dead: Observing Unobservable Network Communications. In IEEE Symposium on Security and Privacy (Oakland), 2013.
 R. Jansen and N. Hopper. Shadow: Running Tor in a Box for Accurate and Efficient Experimentation. In Network and Distributed System Security Symposium (NDSS), 2012.
 A. Johnson, C. Wacek, R. Jansen, M. Sherr, and P. Syverson. Users Get Routed: Traffic Correlation on Tor By Realistic Adversaries. In ACM Conference on Computer and Communications Security (CCS), November 2013.
 A. M. Johnson, P. Syverson, R. Dingledine, and N. Mathewson. Trust-based Anonymous Communication: Adversary Models and Routing Algorithms. In ACM Conference on Computer and Communications Security (CCS), 2011.
 J. Juen. Protecting Anonymity in the Presence of Autonomous System and Internet Exchange Level Adversaries. Master’s thesis, University of Illinois at Urbana-Champaign, 2012.
 D. Kedogan, D. Agrawal, and S. Penz. Limits of Anonymity in Open Environments. In Information Hiding Workshop (IH), 2002.
 S. Kent, C. Lynn, and K. Seo. Secure Border Gateway Protocol (SBGP). IEEE Journal on Selected Areas in Communications, 18(4): 582-592, April 2000.
 M. Lepinski. BGPSec Protocol Specification. Draft draft-ietf-sidrbgpsec- protocol-04, Internet Engineering Task Force, 2012.
 H. M. Moghaddam, B. Li, M. Derakhshani, and I. Goldberg. Skype- Morph: Protocol Obfuscation for Tor Bridges. In ACM Conference on Computer and Communications Security (CCS), 2012.
 S. J. Murdoch and G. Danezis. Low-Cost Traffic Analysis of Tor. In IEEE Symposium on Security and Privacy (Oakland), 2005.
 V. N. Padmanabhan and D. R. Simon. Secure Traceroute to Detect Faulty or Malicious Routing. ACM SIGCOMM Computer Communication Review, 33(1):77-82, 2003.
 H. N. Phong, A. Yasuhito, and Y. Masatoshi. Anti-RAPTOR: Anti Routing Attack on Privacy for a Securer and Scalable Tor. In IEEE International Conference on Advanced Communication Technology (ICACT), 2015.
 Y. Rekhter, T. Li, and S. Hares. A Border Gateway Protocol 4 (BGP-4). RFC 4271, Internet Engineering Task Force, 2006.
 RIPE Atlas. https://atlas.ripe.net/.
 Routeviews Prefix to AS mappings Dataset for IPv4 and IPv6. http://www.caida.org/data/routing/routeviews-prefix2as.xml.
 Snakes on a Tor Exit Scanner. https://gitweb.torproject.org/torflow.git/tree/HEAD:/NetworkScanners/ExitAuthority.
 Y. Sun, A. Edmundson, L. Vanbever, O. Li, J. Rexford, M. Chiang, and P. Mittal. RAPTOR: Routing Attacks on Privacy in Tor. In USENIX Security Symposium (USENIX), Aug. 2015.
 The CAIDA AS Relationships Dataset, <2014-06-01>. http://www.caida.org/data/as-relationships/.
 Tor Flow. https://gitweb.torproject.org/torflow.git/.
 Tor Project, Inc. Tor Metrics Portal. https://metrics.torproject.org/.
 C. Wacek, H. Tan, K. Bauer, and M. Sherr. An Empirical Evaluation of Relay Selection in Tor. In Network and Distributed System Security Symposium (NDSS), February 2013.
 T. Wan, E. Kranakis, and P. C. van Oorschot. Pretty Secure BGP, psBGP. In Network and Distributed System Security Symposium (NDSS), 2005.
 Z. Weinberg, J. Wang, V. Yegneswaran, L. Briesemeister, S. Cheung, F. Wang, and D. Boneh. StegoTorus: A Camouflage Proxy for the Tor Anonymity System. In ACM Conference on Computer and Communications Security (CCS), 2012.
 R. White. Architecture and Deployment Considerations for Secure Origin BGP (soBGP). Draft draft-white-sobgp-architecture-02, Internet Engineering Task Force, 2006.
 H. Yu, J. Rexford, and E. Felten. A Distributed Reputation Approach to Cooperative Internet Routing Protection. In Workshop on Secure Network Protocols (NPSec), 2005.
 J. Zhang, J. Rexford, and J. Feigenbaum. Learning-based Anomaly Detection in BGP Updates. In ACM SIGCOMM Workshop on Mining Metwork Data, 2005.
 Z. Zhang, Y. Zhang, Y. C. Hu, and Z. M. Mao. Practical Defenses Against BGP Prefix Hijacking. In ACM International Conference on Emerging Networking EXperiments and Technologies (CoNEXT), 2007.
 C. Zheng, L. Ji, D. Pei, J. Wang, and P. Francis. A Light-weight Distributed Scheme for Detecting IP Prefix Hijacks in Real-time. In Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM), 2007.