Cryptology ePrint Archive: Report 2012/432

TorScan: Tracing Long-lived Connections and Differential Scanning Attacks

Alex Biryukov, Ivan Pustogarov, Ralf-Philipp Weinmann

Abstract: Tor is a widely used anonymity network providing low-latency communication capabilities. Around 400,000 users per day use Tor to route TCP traffic through a sequence of relays; three hops are selected from a pool of currently almost 3000 volunteer-operated Tor relays to comprise a route through the network for a limited time. In comparison to single-hop proxies, forwarding TCP streams through multiple relays increases the anonymity of the users significantly: each hop along the route only knows its successor and predecessor. The anonymity provided by Tor heavily relies on the hardness of linking a user's entry and exit nodes. If an attacker gains access to the topological information about the Tor network instead of having to consider the network as a fully connected graph, this anonymity may be reduced. In fact, we have found ways to probe the connectivity of a Tor relay. We demonstrate how the resulting leakage of the Tor network topology can be used and present attacks to trace back a user from an exit relay to a small set of potential entry nodes.

Category / Keywords: applications /

Date: received 31 Jul 2012

Contact author: ivan pustogarov at uni lu

Available format(s): PDF | BibTeX Citation

Version: 20120805:145655 (All versions of this report)

Short URL: ia.cr/2012/432

Discussion forum: Show discussion | Start new discussion