Quantifying measurement quality and load distribution in Tor
A. Greubel, S. Pohl, and S. Kounev. Proceedings of the 36th Annual Computer Security Applications Conference (ACSAC 2020), (2020)
Abstract
Tor is a widely used anonymization network. Traffic is
routed over different relay nodes to conceal the communication partners.
However, if a single relay handles too much traffic, de-anonymization
attacks are possible. The Tor Load Balancing Mechanism (TLBM) is
responsible for balanced and secure load distribution. It must verify
that relays cannot attract more traffic than they should by lying about
their self-reported bandwidth. This work shows that the current
bandwidth measurement method used for bandwidth verification is not
suitable to verify the bandwidth of many relays. Most importantly,
multiple measurements of high-bandwidth relays are uncorrelated to each
other. Furthermore, we analyze the current load distribution in Tor. We
show that the current load distribution reduces the resources necessary
for several large-scale de-anonymization attacks by more than 80\%.
Additionally, as Tor favors fast relays during path selection,
verifiable relays only handle a small fraction of Tor’s traffic. More
precisely, we show that only 7.21\% of all paths consist of entry and
exit relays verifiable by measurements. We discuss these results’
security implications and argue that future TLBM research should focus
at least as much on secure load distribution as on high traffic
performance.
%0 Journal Article
%1 greubel2020quantifying
%A Greubel, Andre
%A Pohl, Steffen
%A Kounev, Samuel
%D 2020
%J Proceedings of the 36th Annual Computer Security Applications Conference (ACSAC 2020)
%K TLBM t_full tor balancing descartes
%T Quantifying measurement quality and load distribution in Tor
%X Tor is a widely used anonymization network. Traffic is
routed over different relay nodes to conceal the communication partners.
However, if a single relay handles too much traffic, de-anonymization
attacks are possible. The Tor Load Balancing Mechanism (TLBM) is
responsible for balanced and secure load distribution. It must verify
that relays cannot attract more traffic than they should by lying about
their self-reported bandwidth. This work shows that the current
bandwidth measurement method used for bandwidth verification is not
suitable to verify the bandwidth of many relays. Most importantly,
multiple measurements of high-bandwidth relays are uncorrelated to each
other. Furthermore, we analyze the current load distribution in Tor. We
show that the current load distribution reduces the resources necessary
for several large-scale de-anonymization attacks by more than 80\%.
Additionally, as Tor favors fast relays during path selection,
verifiable relays only handle a small fraction of Tor’s traffic. More
precisely, we show that only 7.21\% of all paths consist of entry and
exit relays verifiable by measurements. We discuss these results’
security implications and argue that future TLBM research should focus
at least as much on secure load distribution as on high traffic
performance.
@article{greubel2020quantifying,
abstract = {Tor is a widely used anonymization network. Traffic is
routed over different relay nodes to conceal the communication partners.
However, if a single relay handles too much traffic, de-anonymization
attacks are possible. The Tor Load Balancing Mechanism (TLBM) is
responsible for balanced and secure load distribution. It must verify
that relays cannot attract more traffic than they should by lying about
their self-reported bandwidth. This work shows that the current
bandwidth measurement method used for bandwidth verification is not
suitable to verify the bandwidth of many relays. Most importantly,
multiple measurements of high-bandwidth relays are uncorrelated to each
other. Furthermore, we analyze the current load distribution in Tor. We
show that the current load distribution reduces the resources necessary
for several large-scale de-anonymization attacks by more than 80\%.
Additionally, as Tor favors fast relays during path selection,
verifiable relays only handle a small fraction of Tor’s traffic. More
precisely, we show that only 7.21\% of all paths consist of entry and
exit relays verifiable by measurements. We discuss these results’
security implications and argue that future TLBM research should focus
at least as much on secure load distribution as on high traffic
performance.},
added-at = {2020-09-17T12:05:52.000+0200},
author = {Greubel, Andre and Pohl, Steffen and Kounev, Samuel},
biburl = {https://www.bibsonomy.org/bibtex/2f1faf64194a579381662979d0cb1b258/se-group},
interhash = {b44f313357a4412bd3674c2efe043adf},
intrahash = {f1faf64194a579381662979d0cb1b258},
journal = {Proceedings of the 36th Annual Computer Security Applications Conference (ACSAC 2020)},
keywords = {TLBM t_full tor balancing descartes},
timestamp = {2020-10-05T16:26:40.000+0200},
title = {Quantifying measurement quality and load distribution in Tor},
year = 2020
}