Tor is a widely used anonymization network. Traffic is routed over different relay nodes to conceal the communication partners. However, if a single relay handles too much traffic, de-anonymization attacks are possible. The Tor Load Balancing Mechanism (TLBM) is responsible for balanced and secure load distribution. It must verify that relays cannot attract more traffic than they should by lying about their self-reported bandwidth. This work shows that the current bandwidth measurement method used for bandwidth verification is not suitable to verify the bandwidth of many relays. Most importantly, multiple measurements of high-bandwidth relays are uncorrelated to each other. Furthermore, we analyze the current load distribution in Tor. We show that the current load distribution reduces the resources necessary for several large-scale de-anonymization attacks by more than 80%. Additionally, as Tor favors fast relays during path selection, verifiable relays only handle a small fraction of Tor’s traffic. More precisely, we show that only 7.21% of all paths consist of entry and exit relays verifiable by measurements. We discuss these results’ security implications and argue that future TLBM research should focus at least as much on secure load distribution as on high traffic performance.
%0 Conference Paper
%1 greubel2020quantifying
%A Greubel, Andre
%A Pohl, Steffen
%A Kounev, Samuel
%B Proceedings of the 36th Annual Computer Security Applications Conference (ACSAC 2020)
%D 2020
%K TLBM balancing hauptautor load myown paper tor
%R https://doi.org/10.1145/3427228.3427238
%T Quantifying measurement quality and load distribution in Tor
%U https://doi.org/10.1145/3427228.3427238
%X Tor is a widely used anonymization network. Traffic is routed over different relay nodes to conceal the communication partners. However, if a single relay handles too much traffic, de-anonymization attacks are possible. The Tor Load Balancing Mechanism (TLBM) is responsible for balanced and secure load distribution. It must verify that relays cannot attract more traffic than they should by lying about their self-reported bandwidth. This work shows that the current bandwidth measurement method used for bandwidth verification is not suitable to verify the bandwidth of many relays. Most importantly, multiple measurements of high-bandwidth relays are uncorrelated to each other. Furthermore, we analyze the current load distribution in Tor. We show that the current load distribution reduces the resources necessary for several large-scale de-anonymization attacks by more than 80%. Additionally, as Tor favors fast relays during path selection, verifiable relays only handle a small fraction of Tor’s traffic. More precisely, we show that only 7.21% of all paths consist of entry and exit relays verifiable by measurements. We discuss these results’ security implications and argue that future TLBM research should focus at least as much on secure load distribution as on high traffic performance.
@inproceedings{greubel2020quantifying,
abstract = {Tor is a widely used anonymization network. Traffic is routed over different relay nodes to conceal the communication partners. However, if a single relay handles too much traffic, de-anonymization attacks are possible. The Tor Load Balancing Mechanism (TLBM) is responsible for balanced and secure load distribution. It must verify that relays cannot attract more traffic than they should by lying about their self-reported bandwidth. This work shows that the current bandwidth measurement method used for bandwidth verification is not suitable to verify the bandwidth of many relays. Most importantly, multiple measurements of high-bandwidth relays are uncorrelated to each other. Furthermore, we analyze the current load distribution in Tor. We show that the current load distribution reduces the resources necessary for several large-scale de-anonymization attacks by more than 80%. Additionally, as Tor favors fast relays during path selection, verifiable relays only handle a small fraction of Tor’s traffic. More precisely, we show that only 7.21% of all paths consist of entry and exit relays verifiable by measurements. We discuss these results’ security implications and argue that future TLBM research should focus at least as much on secure load distribution as on high traffic performance.},
added-at = {2020-09-16T10:43:06.000+0200},
author = {Greubel, Andre and Pohl, Steffen and Kounev, Samuel},
biburl = {https://www.bibsonomy.org/bibtex/2c55d7adc5ce01ca0d015d42816089e6e/andregreubel},
booktitle = {Proceedings of the 36th Annual Computer Security Applications Conference (ACSAC 2020)},
doi = {https://doi.org/10.1145/3427228.3427238},
interhash = {b44f313357a4412bd3674c2efe043adf},
intrahash = {c55d7adc5ce01ca0d015d42816089e6e},
keywords = {TLBM balancing hauptautor load myown paper tor},
timestamp = {2020-11-14T11:34:05.000+0100},
title = {Quantifying measurement quality and load distribution in Tor},
url = {https://doi.org/10.1145/3427228.3427238},
year = 2020
}