RAPTOR: Routing Attacks on Privacy in Tor (1503.03940v1)

Abstract: The Tor network is a widely used system for anonymous communication. However, Tor is known to be vulnerable to attackers who can observe traffic at both ends of the communication path. In this paper, we show that prior attacks are just the tip of the iceberg. We present a suite of new attacks, called Raptor, that can be launched by Autonomous Systems (ASes) to compromise user anonymity. First, AS-level adversaries can exploit the asymmetric nature of Internet routing to increase the chance of observing at least one direction of user traffic at both ends of the communication. Second, AS-level adversaries can exploit natural churn in Internet routing to lie on the BGP paths for more users over time. Third, strategic adversaries can manipulate Internet routing via BGP hijacks (to discover the users using specific Tor guard nodes) and interceptions (to perform traffic analysis). We demonstrate the feasibility of Raptor attacks by analyzing historical BGP data and Traceroute data as well as performing real-world attacks on the live Tor network, while ensuring that we do not harm real users. In addition, we outline the design of two monitoring frameworks to counter these attacks: BGP monitoring to detect control-plane attacks, and Traceroute monitoring to detect data-plane anomalies. Overall, our work motivates the design of anonymity systems that are aware of the dynamics of Internet routing.

• The paper introduces RAPTOR, a novel suite of routing attacks that leverages asymmetric traffic analysis to deanonymize Tor users with 95% accuracy.
• It shows that natural BGP churn can expose Tor circuits by up to 50%, significantly increasing the risk of deanonymization over time.
• The study validates that controlled BGP hijack and interception attacks on Tor guard nodes can compromise user privacy with 90% accuracy.

RAPTOR: Routing Attacks on Privacy in Tor

The paper "RAPTOR: Routing Attacks on Privacy in Tor" presents an intricate examination of vulnerabilities in the Tor network, particularly focusing on how Autonomous Systems (ASes) can exploit these vulnerabilities to compromise user anonymity. The Tor network is a significant tool for anonymous communication, widely used by various entities including political dissidents and average citizens concerned about online privacy. However, its susceptibility to attacks by entities that can observe traffic at both ends of the communication path has been a longstanding concern. This paper goes beyond prior analyses and introduces a new suite of attacks, termed Raptor, which leverages the dynamics of Internet routing through the Border Gateway Protocol (BGP) to enhance the efficacy of traffic analysis attacks.

The paper articulates three major strategies employed by Raptor attacks: asymmetric traffic analysis, exploitation of natural BGP churn, and BGP hijack/interception attacks. Using real-world data and experimental methodologies, the authors demonstrate the feasibility of these attacks, combining empirical analysis with practical attack execution.

Key Findings and Results

1. Asymmetric Traffic Analysis: The paper introduces an advancement over conventional end-to-end timing analysis by considering asymmetric routes in Internet traffic. The researchers found that routing asymmetry can significantly increase the number of ASes that may observe at least one direction of traffic flows, thus elevating the risk of deanonymization. Live experiments on the Tor network revealed that such asymmetric traffic analysis could identify users with a detection accuracy of 95%, validated through high correlation between TCP acknowledgments and data flows.
2. Exploitation of BGP Churn: BGP churn refers to changes in Internet routing paths due to dynamics like link failures and changes in routing policies. The analysis showed that over one month, the potential for Tor circuits to be exposed to AS-level adversaries increases by up to 50% due to BGP churn. This churn allows more ASes to observe traffic over time, thus augmenting the risk of traffic analysis attacks.
3. BGP Hijack and Interception Attacks: The paper examines the feasibility of AS-level adversaries conducting BGP hijacks and interceptions to target specific Tor guard nodes. Historical data show past BGP hijack incidents involved prefixes containing Tor relays, confirming the threat's realism. Moreover, the researchers conducted a controlled BGP interception attack on the live Tor network, successfully demonstrating the ability to deanonymize users with a 90% accuracy rate.

Implications and Future Directions

The paper highlights significant implications for the privacy and security community. The demonstrated elevation in the threat level posed by AS-level adversaries necessitates redesigning anonymity systems to consider Internet routing dynamics more explicitly. There are several directions for future research and practical defenses:

• Countermeasures: The authors propose countermeasures including monitoring frameworks that leverage BGP and traceroute data to detect anomalies, enhancing the security posture of Tor relays by advertising /24 prefixes to prevent specific prefix hijacks, and favoring geographically and topologically closer relays, which could reduce vulnerability to certain attacks.
• Secure Routing Protocols: There is a need for deploying secure routing protocols like those enhancing BGP security to prevent hijack and interception attacks, although this requires substantial buy-in across the Internet governance landscape.
• AS-aware Anonymity: Future anonymity systems should consider integrating AS-awareness into their path selection algorithms, potentially mitigating the efficacy of AS-level attacks.

Conclusion

The Raptor suite of attacks paints a compelling case for reevaluating how anonymity networks like Tor conceptualize trust and adversarial capabilities regarding Internet architecture. The paper provides a thorough analysis, backed by experimental validation, thus contributing a crucial understanding of the additional layers of risk introduced by BGP dynamics. It calls for the development and adoption of more resilient frameworks to preserve the anonymity Tor users depend on. Overall, while the current anonymity offerings remain robust, they must adapt continuously to the evolving threat landscape characterized by the ever-dynamic nature of Internet routing.