Tor is susceptible to traffic correlation attacks in which an adversary who observes flows entering and leaving the anonymity network can apply statistical techniques to correlate flows and de-anonymize their endpoints. While an adversary may not be naturally positioned to conduct such attacks, a recent study shows that the Internet’s control-plane can be manipulated to increase an adversary’s view of the network, and consequently, improve its ability to perform traffic correlation. This paper explores, in-depth, the effects of control-plane attacks on the security of the Tor network. Using accurate models of the live Tor network, we quantify Tor’s susceptibility to these attacks by measuring the fraction of the Tor network that is vulnerable and the advantage to the adversary of performing the attacks. We further propose defense mechanisms that protect Tor users from manipulations at the control-plane. Perhaps surprisingly, we show that by leveraging existing trust anchors in Tor, defenses deployed only in the data-plane are sufficient to detect most control-plane attacks. Our defenses do not assume the active participation of Internet Service Providers, and require only very small changes to Tor. We show that our defenses result in a more than tenfold decrease in the effectiveness of certain control-plane attacks.
If the inline PDF is not rendering correctly, you can download the PDF file here.
 I. C. Avramopoulos and J. Rexford. Stealth Probing: Efficient Data- Plane Security for IP Routing. In USENIX Annual Technical Conference (USENIX-ATC) 2006.
 D. L. Chaum. Untraceable Electronic Mail Return Addresses and Digital Pseudonyms. Communications of the ACM 24(2):84-90 1981.
 S. P. Chung and A. K. Mok. Allergy Attack against Automatic Signature Generation. In International Symposium on Recent Advances in Intrusion Detection (RAID) 2006.
 CIDR Report 18 Aug 2015. http://www.cidr-report.org/as2.0/.
 R. Dingledine N. Mathewson and P. Syverson. Tor: The Second- Generation Onion Router. In USENIX Security Symposium (USENIX) August 2004.
 R. Dingledine N. Hopper G. Kadianakis and N. Mathewson. One Fast Guard for Life (or 9 Months). In Privacy Enhancing Technologies Symposium (PETS) 2014.
 K. P. Dyer S. E. Coull T. Ristenpart and T. Shrimpton. Protocol Misidentification Made Easy with Format-Transforming Encryption. In ACM Conference on Computer and Communications Security (CCS) 2013.
 M. Edman and P. Syverson. AS-Awareness in Tor Path Selection. In ACM Conference on Computer and Communications Security (CCS) 2009.
 T. Elahi K. Bauer M. AlSabah R. Dingledine and I. Goldberg. Changing of the Guards: A Framework for Understanding and Improving Entry Guard Selection in Tor. In ACM Workshop on Privacy in the Electronic Society (WPES) 2012.
 N. Feamster and R. Dingledine. Location Diversity in Anonymity Networks. In ACM Workshop on Privacy in the Electronic Society (WPES) 2004.
 D. Fifield. meek. https://trac.torproject.org/projects/tor/wiki/doc/meek.
 P. Francis S. Jamin C. Jin Y. Jin D. Raz Y. Shavitt and L. Zhang. IDMaps: A Global Internet Host Distance Estimation Service. IEEE/ACM Transactions on Networking 9(5):525-540 2001.
 L. Gao. On Inferring Autonomous System Relationships in the Internet. IEEE/ACM Transactions on Networking (ToN) 9(6):733-745 2001.
 S. Hahn and K. Loesing. Privacy-preserving Ways to Estimate the Number of Tor Users. Technical Report 2010-11-001 Tor Project November 2010.
 A. Houmansadr and N. Borisov. SWIRL: A Scalable Watermark to Detect Correlated Network Flows. In Network and Distributed System Security Symposium (NDSS) 2011.
 A. Houmansadr C. Brubaker and V. Shmatikov. The Parrot is Dead: Observing Unobservable Network Communications. In IEEE Symposium on Security and Privacy (Oakland) 2013.
 R. Jansen and N. Hopper. Shadow: Running Tor in a Box for Accurate and Efficient Experimentation. In Network and Distributed System Security Symposium (NDSS) 2012.
 A. Johnson C. Wacek R. Jansen M. Sherr and P. Syverson. Users Get Routed: Traffic Correlation on Tor By Realistic Adversaries. In ACM Conference on Computer and Communications Security (CCS) November 2013.
 A. M. Johnson P. Syverson R. Dingledine and N. Mathewson. Trust-based Anonymous Communication: Adversary Models and Routing Algorithms. In ACM Conference on Computer and Communications Security (CCS) 2011.
 J. Juen. Protecting Anonymity in the Presence of Autonomous System and Internet Exchange Level Adversaries. Master’s thesis University of Illinois at Urbana-Champaign 2012.
 D. Kedogan D. Agrawal and S. Penz. Limits of Anonymity in Open Environments. In Information Hiding Workshop (IH) 2002.
 S. Kent C. Lynn and K. Seo. Secure Border Gateway Protocol (SBGP). IEEE Journal on Selected Areas in Communications 18(4): 582-592 April 2000.
 M. Lepinski. BGPSec Protocol Specification. Draft draft-ietf-sidrbgpsec- protocol-04 Internet Engineering Task Force 2012.
 H. M. Moghaddam B. Li M. Derakhshani and I. Goldberg. Skype- Morph: Protocol Obfuscation for Tor Bridges. In ACM Conference on Computer and Communications Security (CCS) 2012.
 S. J. Murdoch and G. Danezis. Low-Cost Traffic Analysis of Tor. In IEEE Symposium on Security and Privacy (Oakland) 2005.
 V. N. Padmanabhan and D. R. Simon. Secure Traceroute to Detect Faulty or Malicious Routing. ACM SIGCOMM Computer Communication Review 33(1):77-82 2003.
 H. N. Phong A. Yasuhito and Y. Masatoshi. Anti-RAPTOR: Anti Routing Attack on Privacy for a Securer and Scalable Tor. In IEEE International Conference on Advanced Communication Technology (ICACT) 2015.
 Y. Rekhter T. Li and S. Hares. A Border Gateway Protocol 4 (BGP-4). RFC 4271 Internet Engineering Task Force 2006.
 RIPE Atlas. https://atlas.ripe.net/.
 Routeviews Prefix to AS mappings Dataset for IPv4 and IPv6. http://www.caida.org/data/routing/routeviews-prefix2as.xml.
 Snakes on a Tor Exit Scanner. https://gitweb.torproject.org/torflow.git/tree/HEAD:/NetworkScanners/ExitAuthority.
 Y. Sun A. Edmundson L. Vanbever O. Li J. Rexford M. Chiang and P. Mittal. RAPTOR: Routing Attacks on Privacy in Tor. In USENIX Security Symposium (USENIX) Aug. 2015.
 The CAIDA AS Relationships Dataset <2014-06-01>. http://www.caida.org/data/as-relationships/.
 Tor Flow. https://gitweb.torproject.org/torflow.git/.
 Tor Project Inc. Tor Metrics Portal. https://metrics.torproject.org/.
 C. Wacek H. Tan K. Bauer and M. Sherr. An Empirical Evaluation of Relay Selection in Tor. In Network and Distributed System Security Symposium (NDSS) February 2013.
 T. Wan E. Kranakis and P. C. van Oorschot. Pretty Secure BGP psBGP. In Network and Distributed System Security Symposium (NDSS) 2005.
 Z. Weinberg J. Wang V. Yegneswaran L. Briesemeister S. Cheung F. Wang and D. Boneh. StegoTorus: A Camouflage Proxy for the Tor Anonymity System. In ACM Conference on Computer and Communications Security (CCS) 2012.
 R. White. Architecture and Deployment Considerations for Secure Origin BGP (soBGP). Draft draft-white-sobgp-architecture-02 Internet Engineering Task Force 2006.
 H. Yu J. Rexford and E. Felten. A Distributed Reputation Approach to Cooperative Internet Routing Protection. In Workshop on Secure Network Protocols (NPSec) 2005.
 J. Zhang J. Rexford and J. Feigenbaum. Learning-based Anomaly Detection in BGP Updates. In ACM SIGCOMM Workshop on Mining Metwork Data 2005.
 Z. Zhang Y. Zhang Y. C. Hu and Z. M. Mao. Practical Defenses Against BGP Prefix Hijacking. In ACM International Conference on Emerging Networking EXperiments and Technologies (CoNEXT) 2007.
 C. Zheng L. Ji D. Pei J. Wang and P. Francis. A Light-weight Distributed Scheme for Detecting IP Prefix Hijacks in Real-time. In Conference on Applications Technologies Architectures and Protocols for Computer Communications (SIGCOMM) 2007.