Jump to ContentJump to Main Navigation
Show Summary Details
More options …

Proceedings on Privacy Enhancing Technologies

4 Issues per year

Open Access
See all formats and pricing
More options …

Data-plane Defenses against Routing Attacks on Tor

Henry Tan / Micah Sherr / Wenchao Zhou
Published Online: 2016-07-14 | DOI: https://doi.org/10.1515/popets-2016-0040


Tor is susceptible to traffic correlation attacks in which an adversary who observes flows entering and leaving the anonymity network can apply statistical techniques to correlate flows and de-anonymize their endpoints. While an adversary may not be naturally positioned to conduct such attacks, a recent study shows that the Internet’s control-plane can be manipulated to increase an adversary’s view of the network, and consequently, improve its ability to perform traffic correlation. This paper explores, in-depth, the effects of control-plane attacks on the security of the Tor network. Using accurate models of the live Tor network, we quantify Tor’s susceptibility to these attacks by measuring the fraction of the Tor network that is vulnerable and the advantage to the adversary of performing the attacks. We further propose defense mechanisms that protect Tor users from manipulations at the control-plane. Perhaps surprisingly, we show that by leveraging existing trust anchors in Tor, defenses deployed only in the data-plane are sufficient to detect most control-plane attacks. Our defenses do not assume the active participation of Internet Service Providers, and require only very small changes to Tor. We show that our defenses result in a more than tenfold decrease in the effectiveness of certain control-plane attacks.


  • [1] I. C. Avramopoulos and J. Rexford. Stealth Probing: Efficient Data- Plane Security for IP Routing. In USENIX Annual Technical Conference (USENIX-ATC), 2006.Google Scholar

  • [2] CAIDA UCSD IPv4 Routed /24 Topology Dataset. http://www.caida.org/data/active/ipv4_routed_24_topology_dataset.xml.Google Scholar

  • [3] D. L. Chaum. Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. Communications of the ACM, 24(2):84-90, 1981.CrossrefGoogle Scholar

  • [4] S. P. Chung and A. K. Mok. Allergy Attack against Automatic Signature Generation. In International Symposium on Recent Advances in Intrusion Detection (RAID), 2006.Google Scholar

  • [5] CIDR Report 18 Aug 2015. http://www.cidr-report.org/as2.0/.Google Scholar

  • [6] R. Dingledine, N. Mathewson, and P. Syverson. Tor: The Second- Generation Onion Router. In USENIX Security Symposium (USENIX), August 2004.Google Scholar

  • [7] R. Dingledine, N. Hopper, G. Kadianakis, and N. Mathewson. One Fast Guard for Life (or 9 Months). In Privacy Enhancing Technologies Symposium (PETS), 2014.Google Scholar

  • [8] K. P. Dyer, S. E. Coull, T. Ristenpart, and T. Shrimpton. Protocol Misidentification Made Easy with Format-Transforming Encryption. In ACM Conference on Computer and Communications Security (CCS), 2013.Google Scholar

  • [9] M. Edman and P. Syverson. AS-Awareness in Tor Path Selection. In ACM Conference on Computer and Communications Security (CCS), 2009.Google Scholar

  • [10] T. Elahi, K. Bauer, M. AlSabah, R. Dingledine, and I. Goldberg. Changing of the Guards: A Framework for Understanding and Improving Entry Guard Selection in Tor. In ACM Workshop on Privacy in the Electronic Society (WPES), 2012.Google Scholar

  • [11] N. Feamster and R. Dingledine. Location Diversity in Anonymity Networks. In ACM Workshop on Privacy in the Electronic Society (WPES), 2004.Google Scholar

  • [12] D. Fifield. meek. https://trac.torproject.org/projects/tor/wiki/doc/meek.Google Scholar

  • [13] P. Francis, S. Jamin, C. Jin, Y. Jin, D. Raz, Y. Shavitt, and L. Zhang. IDMaps: A Global Internet Host Distance Estimation Service. IEEE/ACM Transactions on Networking, 9(5):525-540, 2001.CrossrefGoogle Scholar

  • [14] L. Gao. On Inferring Autonomous System Relationships in the Internet. IEEE/ACM Transactions on Networking (ToN), 9(6):733-745, 2001.CrossrefGoogle Scholar

  • [15] S. Hahn and K. Loesing. Privacy-preserving Ways to Estimate the Number of Tor Users. Technical Report 2010-11-001, Tor Project, November 2010.Google Scholar

  • [16] A. Houmansadr and N. Borisov. SWIRL: A Scalable Watermark to Detect Correlated Network Flows. In Network and Distributed System Security Symposium (NDSS), 2011.Google Scholar

  • [17] A. Houmansadr, C. Brubaker, and V. Shmatikov. The Parrot is Dead: Observing Unobservable Network Communications. In IEEE Symposium on Security and Privacy (Oakland), 2013.Google Scholar

  • [18] R. Jansen and N. Hopper. Shadow: Running Tor in a Box for Accurate and Efficient Experimentation. In Network and Distributed System Security Symposium (NDSS), 2012.Google Scholar

  • [19] A. Johnson, C. Wacek, R. Jansen, M. Sherr, and P. Syverson. Users Get Routed: Traffic Correlation on Tor By Realistic Adversaries. In ACM Conference on Computer and Communications Security (CCS), November 2013.Google Scholar

  • [20] A. M. Johnson, P. Syverson, R. Dingledine, and N. Mathewson. Trust-based Anonymous Communication: Adversary Models and Routing Algorithms. In ACM Conference on Computer and Communications Security (CCS), 2011.Google Scholar

  • [21] J. Juen. Protecting Anonymity in the Presence of Autonomous System and Internet Exchange Level Adversaries. Master’s thesis, University of Illinois at Urbana-Champaign, 2012.Google Scholar

  • [22] D. Kedogan, D. Agrawal, and S. Penz. Limits of Anonymity in Open Environments. In Information Hiding Workshop (IH), 2002.Google Scholar

  • [23] S. Kent, C. Lynn, and K. Seo. Secure Border Gateway Protocol (SBGP). IEEE Journal on Selected Areas in Communications, 18(4): 582-592, April 2000.Google Scholar

  • [24] M. Lepinski. BGPSec Protocol Specification. Draft draft-ietf-sidrbgpsec- protocol-04, Internet Engineering Task Force, 2012.Google Scholar

  • [25] MaxMind’s GeoIP Database. https://dev.maxmind.com/geoip/geoip2/geolite2/.Google Scholar

  • [26] H. M. Moghaddam, B. Li, M. Derakhshani, and I. Goldberg. Skype- Morph: Protocol Obfuscation for Tor Bridges. In ACM Conference on Computer and Communications Security (CCS), 2012.Google Scholar

  • [27] S. J. Murdoch and G. Danezis. Low-Cost Traffic Analysis of Tor. In IEEE Symposium on Security and Privacy (Oakland), 2005.Google Scholar

  • [28] V. N. Padmanabhan and D. R. Simon. Secure Traceroute to Detect Faulty or Malicious Routing. ACM SIGCOMM Computer Communication Review, 33(1):77-82, 2003.Google Scholar

  • [29] H. N. Phong, A. Yasuhito, and Y. Masatoshi. Anti-RAPTOR: Anti Routing Attack on Privacy for a Securer and Scalable Tor. In IEEE International Conference on Advanced Communication Technology (ICACT), 2015.Google Scholar

  • [30] Y. Rekhter, T. Li, and S. Hares. A Border Gateway Protocol 4 (BGP-4). RFC 4271, Internet Engineering Task Force, 2006.Google Scholar

  • [31] RIPE Atlas. https://atlas.ripe.net/.Google Scholar

  • [32] Routeviews Prefix to AS mappings Dataset for IPv4 and IPv6. http://www.caida.org/data/routing/routeviews-prefix2as.xml.Google Scholar

  • [33] RouteViews Project. http://www.routeviews.org/.Google Scholar

  • [34] Snakes on a Tor Exit Scanner. https://gitweb.torproject.org/torflow.git/tree/HEAD:/NetworkScanners/ExitAuthority.Google Scholar

  • [35] Y. Sun, A. Edmundson, L. Vanbever, O. Li, J. Rexford, M. Chiang, and P. Mittal. RAPTOR: Routing Attacks on Privacy in Tor. In USENIX Security Symposium (USENIX), Aug. 2015.Google Scholar

  • [36] The CAIDA AS Relationships Dataset, <2014-06-01>. http://www.caida.org/data/as-relationships/.Google Scholar

  • [37] Tor Flow. https://gitweb.torproject.org/torflow.git/.Google Scholar

  • [38] Tor Project, Inc. Tor Metrics Portal. https://metrics.torproject.org/.Google Scholar

  • [39] C. Wacek, H. Tan, K. Bauer, and M. Sherr. An Empirical Evaluation of Relay Selection in Tor. In Network and Distributed System Security Symposium (NDSS), February 2013.Google Scholar

  • [40] T. Wan, E. Kranakis, and P. C. van Oorschot. Pretty Secure BGP, psBGP. In Network and Distributed System Security Symposium (NDSS), 2005.Google Scholar

  • [41] Z. Weinberg, J. Wang, V. Yegneswaran, L. Briesemeister, S. Cheung, F. Wang, and D. Boneh. StegoTorus: A Camouflage Proxy for the Tor Anonymity System. In ACM Conference on Computer and Communications Security (CCS), 2012.Google Scholar

  • [42] R. White. Architecture and Deployment Considerations for Secure Origin BGP (soBGP). Draft draft-white-sobgp-architecture-02, Internet Engineering Task Force, 2006.Google Scholar

  • [43] H. Yu, J. Rexford, and E. Felten. A Distributed Reputation Approach to Cooperative Internet Routing Protection. In Workshop on Secure Network Protocols (NPSec), 2005.Google Scholar

  • [44] J. Zhang, J. Rexford, and J. Feigenbaum. Learning-based Anomaly Detection in BGP Updates. In ACM SIGCOMM Workshop on Mining Metwork Data, 2005.Google Scholar

  • [45] Z. Zhang, Y. Zhang, Y. C. Hu, and Z. M. Mao. Practical Defenses Against BGP Prefix Hijacking. In ACM International Conference on Emerging Networking EXperiments and Technologies (CoNEXT), 2007.Google Scholar

  • [46] C. Zheng, L. Ji, D. Pei, J. Wang, and P. Francis. A Light-weight Distributed Scheme for Detecting IP Prefix Hijacks in Real-time. In Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM), 2007.Google Scholar

About the article

Received: 2016-02-29

Revised: 2016-06-02

Accepted: 2016-06-02

Published Online: 2016-07-14

Published in Print: 2016-10-01

Citation Information: Proceedings on Privacy Enhancing Technologies, Volume 2016, Issue 4, Pages 276–293, ISSN (Online) 2299-0984, DOI: https://doi.org/10.1515/popets-2016-0040.

Export Citation

© 2016. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. BY-NC-ND 4.0

Comments (0)

Please log in or register to comment.
Log in