skip to main content
Department of Computer Science University of Colorado Boulder
cu: home | engineering | mycuinfo | about | cu a-z | search cu | contact cu cs: about | calendar | directory | catalog | schedules | mobile | contact cs
home · the department · news · 

Low-Resource Routing Attacks Against Anonymous Systems FAQ


February 2007

Kevin Bauer, Damon McCoy, Dirk Grunwald and Douglas Sicker
University of Colorado Boulder

Tadayoshi Kohno
University of Washington

Since the appearance of our paper, Low-Resource Routing Attacks Against Anonymous Systems, on Slashdot, we have received several questions from concerned Tor users regarding our findings. In this work, our primary goal is not to "break" any aspect of Tor, but rather to explore solutions to the well-known problem of making routing decisions based upon unverified and potentially false information. Our hope is that Tor can be improved through this work. In this FAQ, we hope to provide clarification regarding the implications of our research to the Tor community.

Frequently Asked Questions (FAQs)

Q0. Most importantly, does this attack mean that we should stop using Tor?

A0. ABSOLUTELY NOT! Despite our findings, Tor is the most secure and usable privacy enhancing system available. We believe that the system is safe for end-users; however, the system is experimental and the developers make no guarantees about the degree of privacy that it can provide. Let us re-iterate: Concerned users should NOT stop using Tor.

For the short-term, the maintainers of the Tor directory servers can monitor the router list to ensure that there are no anomalous advertisements, and blacklist any suspicious routers. In our paper, we point out several counter-measures that significantly reduce the attack's effectiveness by increasing the resources required by an attacker to mount the attack.

Q1. What is Tor?

A1. Tor is the second generation design of the onion routing research project originally funded by the Office of Naval Research (ONR). The Tor project's main goal is to develop a network that protects the privacy of TCP connections. In addition, Tor aims to provide end-user anonymity with constraints such as low-latency, deployability, usability, flexibility, and simple design.

Q2. How does Tor work?

A2. Tor works by tunneling end-user traffic through a series of intermediate servers, called "Tor routers." To a passive adversary, it is very difficult to determine from where the traffic exiting the network originated. The designers of Tor provide a good overview.

Q3. How does this attack work?

A3. The basic premise behind our attack is the following: When Tor clients choose their path (called a "circuit") through the network, the system attempts to provide high-performance by choosing Tor routers that advertise that they have high-bandwidth capabilities and have been in the network for a long time with a higher probability. To compound things, the protocol does not verify any claim made by the onion routers. Our attack works by sending false resource advertisements into the network. This causes our "malicious" servers to be chosen to be part of a large number of paths through Tor. Furthermore, when two of our servers exist at the beginning and end of the path through the network, our attack performs "end-to-end traffic analysis" based upon correlating the timing of the messages at each endpoint. Using this technique, it is possible to determine the sender and receiver of a message that uses such a path.

The key contribution of this work is the following: While the Tor developers realized that analytical models often fail to reflect the full complexities of a real deployment, we are the first to experimentally analyze and push the limits of the practical implications of Tor's heterogeneous architecture on its anonymity.

To evaluate this attack, we deployed an isolated Tor network on the PlanetLab testbed. We introduced low-resource malicious servers that falsely gave the illusion of high-performance servers, which allowed them to be included on a disproportionally high number of paths. To sample our results, in a PlanetLab experiment with 60 honest nodes and 6 malicious servers falsely claiming to have high bandwidths and uptimes, an technique could compromise over 46% of the paths through the network. This is in stark contrast to the 0.70% of paths predicted by an analytical model.

Since our primary purpose in this paper is NOT to demonstrate how to compromise the anonymity of Tor, we rather focus upon designing solutions that can help the system prevent this type of attack. We propose a distributed reputation system to mitigate the ability of malicious servers to influence the routing mechanism.

Q4. How does this work fit with previous research?

A4. This attack is not, in fact, the first attack against Tor. In 2005, Murdoch and Danezis presented a low-cost traffic analysis technique that allowed an outside observer to infer which Tor routers are being used to relay a path's traffic based upon introducing latency into servers on the path. Øverlier and Syverson developed an attack in which an adversary could locate hidden services within the Tor network. Murdoch demonstrated an alternate technique for locating hidden services.

It is important to note that, since Tor uses a centralized routing mechanism to maintain and distribute routing information, it is not vulnerable to many of the routing attacks that are possible in decentralized overlay systems. These include, for example, the Eclipse attack, attacks on distributed hash tables (DHTs), insider attacks in application-layer multicast protocols, and passive node profiling attacks. While centralized routing tends to have scalability limitations, Tor's directory servers do, in fact, protect it from a variety of well-known attacks.

See also:
Department of Computer Science
College of Engineering and Applied Science
University of Colorado Boulder
Boulder, CO 80309-0430 USA
Send email to

Engineering Center Office Tower
ECOT 717
FAX +1-303-492-2844
XHTML 1.0/CSS2 ©2012 Regents of the University of Colorado
Privacy · Legal · Trademarks
May 5, 2012 (13:46)