An Anonymity Vulnerability in Tor

Privacy is currently one of the most concerned issues in Cyberspace. Tor is the most widely used system in the world for anonymously accessing Internet. However, Tor is known to be vulnerable to end-to-end traffic correlation attacks when an adversary is able to monitor traffic at both communication endpoints. In this paper, we present a set of novel Trapper Attacks that can be used to deanonymize user activities by both AS-level adversaries and Node-level adversaries in a Tor network. First, AS-level adversaries can exploit the occasional failures of censored network to selectively control entry guards of the Tor users. Second, the adversaries can exploit poor reliability of the Tor communication (e.g., natural churn) to compromise the exiting nodes and the anonymous path. Once the adversaries gain control of the routes, they can identify and inspect any traffic entering and leaving the Tor network, consequently, deanonymize a Tor user's activity in the network. To demonstrate the effectiveness and feasibility of this attacks, we implemented a tool that can launch the proposed Trapper Attacks to automatic reveal communication relationships between a Tor user and its destinations running on a live Tor network. We also present a formal analysis framework to evaluate the integrity of the Tor network. With this framework, we successfully obtained quantitative estimates of Tor's security vulnerability. The proposed Trapper Attacks are also designed to scale up in real-world Tor networks. Namely, it allows an adversary to perform deanonymization in honey relays effectively, and compromise the anonymity of Tor clients in real time. Our experimental results show that the proposed attacks succeed in less than 40 seconds achieving a 100% accuracy rate and a false positive rate close to 0.