Analysing Covertness of Tor Bridge Request

Tor bridges are hidden entrances of Tor network. Users can exploit bridges to hide their visits of Tor. To restrict hidden Tor visits, many attacks focus on bridge information discovery or bridge traffic detection. But these attacks are less effective because bridges' information cannot be discovered thoroughly and its traffic are often obfuscated. In the paper, we present a novel attack to stop hidden Tor visits. We observe that users need to request information of bridges from a database before visiting Tor network. Thus, attackers can stop Tor visits by detecting the process of bridge requests rather than bridge itself. To verify our attack's feasibility, we analyse covertness of the most widely-used bridge request tool, which imitates normal network request when communicating with bridge database. After comparing with five types of typical web request, we find that this tool fails to imitate in packet time, size and direction, for example, the variation of simulated packet sizes are more dynamic than normal. Based on the three imitation vulnerabilities, we train machine learning algorithms to detect bridge request. Extensive experiments demonstrate that bridge request can be identified with high accuracy and very low false-positive rates in real-world. In conclusion, our work paves a new way to block evasive Tor visits.