Defending End-to-End Confirmation Attacks against the Tor Network

Abstract

Tor is an anonymity network designed for interactive applications such as Web browsing or instant messaging. The network consists of voluntarily operated nodes distributed around the world and routes user traffic over three randomly chosen nodes in order to conceal which destinations a user is accessing. If an attacker can control or observe the nodes where traffic is entering and leaving the network, one can correlate traffic and confirm that a user connected to a particular destination, for instance a Web site. Currently, Tor does not directly defend against such end-to-end confirmation attacks, because proposed defences put to much load onto the network. Instead Tor makes it harder for an attacker to come into the position to execute such an attack. Successful end-to-end confirmation attacks were demonstrated in the past and researchers assume that such attacks are generally possible against the Tor network. However, it is not known how effective they actually can be against the current size Tor network. What is the real threat today for users by end-to-end confirmation attacks? In addition, current research shows that Tor’s approach to defend such attacks has its own limitations. For this reason it is necessary to not rely on one protection mechanism alone in order to keep Tor users safe and provide the anonymity they expect from Tor. This thesis investigates end-to-end confirmation attacks against the current size Tor network with the goal to better understand the threat such attacks pose to users. It confirms by experiments on the live Tor network that end-to-end confirmation attacks are still a valid and serious threat against Tor. This builds the necessary foundation to better protect against them. In a second step the thesis develops a defence against end-to-end confirmation attacks based on dummy traffic and examines the level of protection this can provide to users. This also studies the costs associated with the defence in order to better understand if it is worthwhile to deploy the defence to the Tor network. Experiments on the live Tor network and large-scale simulations of Tor show that the proposed defence can protect against end-to-end confirmation attacks. At the same time Tor is not slowed down by the defence from a user’s perspective. Instead the defence requires higher bandwidth from Tor nodes. The ultimate goal of the thesis is to better protect Tor users against end-to-end confirmation attacks. To the author’s best knowledge this work presents for the first time a general defence directly defending end-to-end confirmation attacks against the Tor network. The proposed defence can protect against such attacks, is usable, easy to implement and easy to deploy. Utilising this defence improves the security and anonymity of Tor users, but at the same time it does not impose unacceptable high costs on the Tor network.