Abstract
Tor network has been widely used for protecting the privacy of users while accessing various online services. Since Tor can be easily blocked by blacklisting the publicly published Tor relays, the hidden bridges-based blocking-resistance mechanism is designed and implemented in the current Tor network. Any user can subscribe a tuple of three bridges via email, https, twitter etc. However, we have found that there exist high correlations among those published tuples, which can be exploited to effectively detect hidden bridges by monitoring the outbound traffic from a controlled network. When Tor clients try to connect chosen hidden bridges, multiple SYN packets with consecutive source ports will be sent almost simultaneously, destining for different hosts. If any destination IP contained among such packets belongs to a known bridge, all others can then be inferred to be of bridges too. By recording and analyzing a series of traffic segments satisfying the above packet features, the hidden bridges used in a controlled network can be detected and further blocked. According to different available computing and storage resources, we proposed both online and offline detecting methods. Both analytical and simulation results verify the high correlation among published bridge tuples, validating the feasibility of our methods. By configuring optimized detecting parameters in the real-world experiments, we can achieve a detection rate of 86.7 % with a 0.85 % false-positive rate for online detection, and a 98.4 % detection rate with a 0.62 % false-positive rate for offline detection. To make up the flaws in Tor’s current blocking-resistance mechanism, we also provide some countermeasures from the perspective of Tor network and users, respectively.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Dingledine R, Mathewson N, Syverson P (2004) Tor: the second-generation onion router. In: Proceedings of the 13th USENIX security symposium, San Diego, CA, USA, pp 303–320
Chaum D (1981) Untraceable electronic mail, return addresses, and digital pseudonyms. Commun ACM 24(2):84–90. doi:10.1145/358549.358563
Dingledine R, Mathewson N. Design of a blocking-resistant anonymity system DRAFT. https://svn.torproject.org/svn/projects/design-paper/blocking.html
Larsen M, Gont F (2010) Transport protocol port randomization recommendations. Internet-draft, 31 May 2010
Karagiannis T, Broido A, Brownlee N, Claffy C, Faloutsos M (2004) Is P2P dying or just hiding? In: Proceedings of IEEE global telecommunications conference (GLOBECOM), Dallas, TX, USA, pp 1532–1538
Murdoch SJ, Danezis G (2005) Low-cost traffic analysis of Tor. In: Proceedings of IEEE symposium on security and privacy (S&P), Oakland, CA, USA, pp 183–195
Bauer K, McCoy D, Grunwald D, Kohno T, Sicker D (2007) Low–resource routing attacks against tor. In: Proceedings of the 2007 ACM workshop on privacy in the electronic society (WPES)
Evans NS, Dingledine R, Grothoff C (2009) A practical congestion attack on Tor using long paths. In: Proceedings of the 18th USENIX security symposium (security), Montreal, Canada, August 10–14
Abbott T, Lai K, Lieberman M, Price E (2007) Browser-based attacks on Tor. In: Proceedings of the 7th international symposium on privacy enhancing technologies (PET), Ottawa, ON, Canada, pp 184–199
Manils P, Abdelberri C, Blond S, Mohamed AK, Castelluccia C, Legout A, Dabbous W (2010) Compromising Tor anonymity exploiting P2P information leakage. arXiv:1004.1461
Zhu Y, Fu X, Graham B, Bettati R, Zhao W (2004) On flow correlation attacks and countermeasures in mix networks. In: Proceedings of the workshop on privacy enhancing technologies (PET), Toronto, ON, Canada, pp 207–225
Levine BN, Reiter MK, Wang C, Wright M (2004) Timing attacks in low-latency mix systems. In: Proceedings of financial cryptography (FC), Key West, FL, USA, pp 251–265
Wang X, Reeves DS (2003) Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays. In: ACM conference on computer and communications security, Washington, DC, USA, pp 20–29
Wang X, Chen S, Jajodia S (2007) Network flow watermarking attack on low-latency anonymous communication systems. In: Proceedings of IEEE security and privacy symposium (S&P), Oakland, CA, USA, May 2007, pp 116–130
Pyun Y, Park Y, Wang X, Reeves DS, Ning P (2007) Tracing traffic through intermediate hosts that repacketize flows. In: Proceedings of IEEE conference on computer communications (INFOCOM), Anchorage, AK, USA, May 2007, pp 634–642
Yu W, Fu X, Graham S, Xuan D, Zhao W (2007) DSSS-based flow marking technique for invisible traceback. In: Proceedings of IEEE security and privacy symposium (S&P), Oakland, CA, USA, May 2007, pp 18–32
Houmansadr A, Kiyavash N, Borisov N (2009) RAINBOW: a robust and invisible non-blind watermark for network flows. In: Proceedings of the 16th annual network & distributed system security symposium (NDSS)
Pries R, Yu W, Fu X, Zhao W (2008) A new replay attack against anonymous communication networks. In: Proceedings of IEEE international conference on communications (ICC), Beijing, China, pp 1578–1582
Ling Z, Luo J, Yu W, Fu X, Xuan D, Jia W (2009) A new cell counter based attack against Tor. In: Proceedings of the 16th ACM conference on computer and communications security (CCS)
Overlier L, Syverson P (2006) Locating hidden servers. In: Proceedings of IEEE symposium on security and privacy (S&P), Berkeley, CA, USA, pp 100–114
Murdoch SJ (2006) Hot or not: revealing hidden services by their clock skew. In: Proceedings of the 13th ACM conference on computer and communications security (CCS), Alexandria, VA, USA, pp 27–36
Zander S, Murdoch S (2008) An improved clock-skew measurement technique for revealing hidden services. In: Proceedings of the 17th USENIX security symposium (security)
Danezis G, Sassaman L (2008) How to bypass two anonymity revocation schemes. In: Privacy enhancing technologies (PETS 2008). Lecture notes in computer science, pp 187–201. doi:10.1007/978-3-540-70630-4_12
McLachlan J, Hopper N (2009) On the risks of serving whenever you surf: vulnerabilities in Tor’s blocking resistance design. In: Proceedings of the ACM conference on computer and communications security, Chicago, IL, USA, 9–13 November 2009, pp 31–40
Köpsell S, Hillig U (2004) How to achieve blocking resistance for existing systems enabling anonymous web surfing. In: Proceedings of the 2004 ACM workshop on privacy in the electronic society (WPES), pp 47–58
Ling Z, Luo J, Yu W, Yang M, Fu X (2012) Extensive analysis and large-scale empirical evaluation of Tor bridge discovery. In: Proceedings of the 31th IEEE international conference on computer communications (INFOCOM), Orlando, FL, USA, 25–30 March 2012, pp 2381–2389
Acknowledgements
This work is supported by National Key Basic Research program of China under Grants No. 2010CB328104, National Natural Science Foundation of China under Grants No. 60903162, No. 60903161, No. 61070161 and No. 61003257, China National Key Technology R&D Program under Grants No. 2010BAI88B03 and No. 2011BAK21B02, China Specialized Research Fund for the Doctoral Program of Higher Education under Grants No. 20110092130002, Jiangsu Provincial Natural Science Foundation of China under Grants No. BK2008030, Jiangsu Provincial Key Laboratory of Network and Information Security under Grants No. BM2003201 and Key Laboratory of Computer Network and Information Integration of Ministry of Education of China under Grants No. 93K-9.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Yang, M., Luo, J., Zhang, L. et al. How to block Tor’s hidden bridges: detecting methods and countermeasures. J Supercomput 66, 1285–1305 (2013). https://doi.org/10.1007/s11227-012-0788-4
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11227-012-0788-4