Traffic Analysis of High Throughput Traffic on Tor

Abstract

Tor is a popular anonymity network used by millions to access internet services while maintaining their privacy. The main concept behind Tor is that a user can build a "circuit" of routers called relays, where each relay carries the client’s traffic to the next relay, without any single relay knowing the full extent of the path. Thus, anonymity is achieved, because no single relay can trace the client to the destination.However, a paper written in 2005 titled "Low-Cost Traffic Analysis of Tor" by Steven J. Murdoch and George Danez is demonstrated that a traffic analysis attack was possible against the Tor network. Any attacker could monitor the load on a relay in the Tor network by calculating the round trip time (RTT) to the relay, and when the RTT spiked, it was clear that the relay was being used. With this information, attackers could trace the path of a client in the Tor network and de-anonymize them.This paper was written in 2005, when Tor was still young. At the time of Murdoch and Danezis’ paper, the entire Tor network consisted of just fifty relays. As of the time of writing, there were well over 7,000 relays in the network, so the ecosystem of Tor is radically different. With all of the increased traffic, it is highly required to determine if this type of attack was still valid, and would not be masked by other traffic.Our results indicate that if a victim is downloading or streaming a large file as fast as Tor will allow them to, a decrease in bandwidth and an increase in round trip time (RTT) is usually observable on each relay in the circuit. This research work has also discovered the Tor guard relays, a special subset of relays that clients will pick as the first hop in their circuit are very susceptible to this kind of attack.