Securing Tor

The Tor network is a widely used system for anonymous communication. However, Tor is known to be vulnerable to attackers who can observe traffic at both ends of the communication path. We present a suite of new attacks, called Raptor, that can be launched by Autonomous Systems (ASes) to compromise user anonymity. First, AS-level adversaries can exploit the asymmetric nature of Internet routing to increase the chance of observing at least one direction of user traffic at both ends of the communication. Second, AS-level adversaries can exploit natural churn in Internet routing to lie on the BGP paths for more users over time. Third, strategic adversaries can manipulate Internet routing via BGP hijacks and interceptions. We demonstrate the feasibility of Raptor attacks by analyzing historical BGP data and Traceroute data as well as performing real-world attacks on the live Tor network, while ensuring that we do not harm real users.

Asymmetric Traffic Analysis and BGP Churn: Using live experiments on the Tor network, we showed that Raptor’s asymmetric traffic analysis attacks can deanonymize a user with a 95% accuracy, without any false positives. Using historical BGP and Traceroute data, we showed that by considering routing asymmetry and routing churn, the threat of AS-level attacks increases by 50% and 100%, respectively.


BGP Hijacks and Interceptions: We analyzed known BGP hijacks and interception attacks on the Internet and show multiple instances where Tor relays were among the target prefixes. As an illustration, the recent Bitcoin Hijack attack in 2014, as well as Indosat Hijack attacks in 2014 and 2011 involved multiple Tor relays. To demonstrate the feasibility of such attacks for the purpose of deanonymizing Tor clients, we successfully performed an interception attack against a live Tor relay. Overall, we found that more than 90% of Tor relays are vulnerable to our attacks.


Countermeasures: we present a new Tor guard relay selection algorithm that incorporates resilience of relays into consideration to proactively mitigate such attacks. We show that the algorithm successfully improves the security for Tor clients by up to 36% on average (up to 166% for certain clients). Furthermore, we build a live BGP monitoring system that can detect routing anomalies on the Tor network in real time by performing an AS origin check and novel detection analytics.


Y. Sun, A. Edmundson, L. Vanbever, O. Li, J. Rexford, M. Chiang, P. Mittal “RAPTOR: Routing Attacks on Privacy in TOR”. In USENIX Security. 2015.

Y. Sun, A. Edmundson, N. Feamster, M. Chiang, P. Mittal “Counter-RAPTOR: Safeguarding Tor Against Active Routing Attacks”. In IEEE Security & Privacy. 2017.