Introduction
In the communication era, the global Internet network represents a fundamental
resource for everyday live. Security aspects on the Internet assume today a very
important role [
1
]: being a crucial element for users activities, governments, and
critical infrastructure systems, the Internet network has to be kept a safe place
for its users and inter-communicating systems, ensuring secure communications
and guaranteeing users rights. In the privacy context, it is important to ensure
hiding capabilities for both the content exchanged between two entities and the
identity of the entities themselves [
2
].
Anonymity network systems were primarily designed to preserve
communications privacy to censored Internet users. Anonymity is achieved by embedding
user data inside of di erent layers of encryption and by forwarding the tra c
through a set of relay/routing nodes or proxies [
3
]. Onion networks [
2, 4
]
represent today one of the available solutions adopted in this context. Such networks
are based on onion routing approaches, involving encryption procedures making
routing nodes unable to read exchanged data between two (client and server)
entities. There exist several di erent anonymizing networks [
5
], such as Freenet [
6
],
I2P [
7
], [
8
], MorphMix [
9
], Hornet [
10
] or Tarzan [
11
]. Nevertheless, nowadays,
the most adopted onion network is Tor [
5
].
Representing the second version of the original Onion Routing protocol [
2,
4
], the Tor network (Tor in the following) is today considered one of the most
popular network protocol for anonymous communications. Developed starting
from an internal project of the United States Naval Research Lab, hence
inherited by the Tor non-pro t organization in late 2003, Tor was created to improve
privacy and security of Internet users. Tor rapidly acquired adoption on the
Internet: while on January 2010, about 1,000 Tor public relays was distributed
around the world, this number quickly raised to nearly 8,000 on January 2015,
and is nowadays stabilized to around 7,000 nodes. In virtue of its e ectiveness,
the anonymity levels provided by Tor are often uncomfortable to law
enforcement or governments prone to Internet censorship activities. This statement is
con rmed by a July 2014 competition organized by the Russian government,
giving a 110,000 USD price to any Russian citizen breaking the Tor network for
tracking purposes 1.
Due to the adoption of the Tor network and the nature of exchanged contents,
it is important to deeply explore the network, its functioning and the associated
weaknesses, in the darknet security context. In this paper, we analyze
cyberattacks on the Tor network, by proposing an exhausting taxonomy of available
attacks, by analyzing the target of the attack. Although other works propose a
survey of Tor attacks [
12
], the proposed work reports a broader set of threats,
also proposing a categorization of them. Particularly, we report the functioning
of the Tor network in Section 2, hence categorizing and describing available
attacks in Section 3. Section 4 reports instead considerations on the analyzed
attacks, while, nally, Section 5 reports the conclusions of the work.
2
The Tor Protocol
Tor can be adopted in order to hide the identity of the client while sur ng on
the surface web (including websites reachable through a common browser) [
13
],
or while accessing hidden services on the Tor network [
14
]. Considering the rst
scenario, accordingly to Figure 1, each communication involves several public
relay nodes: (i) the client, (ii) the server, (iii) a Tor entry node (or guard node),
(iv) a Tor exit node, and (v) a set of Tor middle nodes greater or equal to one.
Since a single middle node is usually adopted [
3
] (as depicted in Figure 1), we
will consider such scenario in the following.
1 "Putin Sets $110,000 Bounty for Cracking Tor as Anonymous InternetUsage in
Russia Surges" (Accessed on Nov 6th, 2018):
http:www.bloomberg.comnews201407-29putin-sets-110-000-bounty-for-cracking-tor-as-anonymous-internet-usage-inrussia-surges.html
Tor also supports additional guard nodes known as bridge nodes [
15
]: unlike
public relay nodes, in this case the identity/IP address of the node is not public.
Also, the Tor network can be extended by any host wishing to become part of the
network. Although this characteristic makes Tor an extremely scalable network,
it also makes it vulnerable by design to man-in-the-middle attacks, especially in
case a malicious user controls the exit node of the network and communications
with the server are not encrypted [
16
].
The set of Tor nodes involved in the communication is chosen by the client
itself and it represents a Tor circuit, build by the client at the begin of the
connection by communicating with the network nodes belonging to the circuit and
exchanging a separate encryption key with each node. Messages are encrypted by
the client through an onion encryption scheme [
17
]. Since each node involved in
the communication is the only one able to decrypt the message it receives, each
node is only aware of the identity of its predecessor and successor on the circuit.
In addition, while the entry/guard node is the only one directly communicating
with the client, only the exit node is able to read the original message (to be
delivered to the server on the surface Internet network), that can be encrypted
if encryption algorithms are adopted (such as SSL).
3
Attacks to the Tor ecosystem
During the years, several studies have been conducted on onion networks [2,
18{20], with particular focus on the Tor network, that is the most adopted one.
Considering onion networks security, attacks may target three di erent entities
of the network:
{ Client: in this case, the aim of the attacker is to target a client of the Tor
network;
{ Server: in this case, the Tor hidden server is targeted by the attacker;
{ Network: in this case, the Tor network itself is targeted by the attacker.
Concerning such di erent entities, we now describe available attacks, by
focusing on the Tor onion network. We also analyze attacks targeting generic/mixed
entities.
3.1
Attacks to the client
Several studies have been conducted during the years in order to hack the Tor
network and de-anonymize its users, associating their IP address to an outgoing
packet [
21, 22
]. These studies often led to concrete attacks exploiting speci c
vulnerabilities, removed by Tor developers through appropriate updates of the
browser software. In this part of the paper we report attacks aimed at creating
a damage to the Tor client.
Plug-in based attacks These attacks are executed to target the user through the
Internet browser he adopts to navigate on the network. Such threats make use
of external software plugged into the browser (plug-in), such as Flash, Java, and
ActiveX Controls [23, ?]. These applications run as separate software, executed
with users permissions on the operating system. Some of these technologies, like
Java or Adobe Flash, for instance, are executed in apposite virtual machines or
frameworks bypassing proxy con guration settings adopted by the Tor browser,
hence directly communicating on the Internet network, without making use of
the Tor ecosystem. Browser attacks may be implemented by following di erent
approaches [
24
]: (i) by operating on the public Internet server contacted by the
client, through a malicious server system embedding, for instance, Adobe Flash
contents on the web page; (ii) by adopting an evil exit node, intercepting users
communications on not encrypted channels (e.g. clear HTTP connections) and
embedding malicious plug-in related contents. Due to the possible exposure of
the clients identity deriving from the usage of browser plug-ins, as suggested by
anonymizing browsers themselves, such technologies, often disabled by default,
should be avoided in order to communicate on the onion network anonymously
and safely.
Torben attack The Torben attack [
25
] is executed to identify a Tor client, by
manipulating web pages to force the user to access content from untrusted sources
and by exploiting low-latency characteristics of anonymization networks to infer
indicators of web pages that are transmitted, hence retrieving information on
the web pages the client visits through Tor.
P2P Information leakage This kind of attack is perpetrated in order to
deanonymize Tor clients by exploiting their connections to peer-to-peer systems.
Indeed, considering for instance the BitTorrent protocol [
26
], it is possible for
a malicious user to retrieve the IP address of a client connecting over Tor to
communicate with the torrent tracker. A torrent tracker is a network service the
client has to communicate to retrieve information about the list of peers able to
share the requested resource [
16
]. Peers information are provided as couples of
IP address and listening port.
The attacker exploits in this case the fact that, although the list of trackers
may be retrieved anonymously via Tor, P2P connections are often accomplished
unsafely, by directly communicating with the peer. Therefore, it is possible for
the attacker to exploit the man-in-the-middle addiction of the Tor network to
alter the content of the list returned by the torrent tracker, by including into
the list the IP address of a malicious torrent peer. Since communication with
such peer would not be established through Tor, it is possible for the attacker to
retrieve the IP address of the client originating the request to the tracker [
26
].
Induced Tor guard selection The Tor entry node is the only node directly
communicating with the client. Nevertheless, since Tor packets payload is encrypted,
it is not possible for the entry node to retrieve the clean content of exchanged
messages without knowing the decryption keys of the circuit nodes. Therefore,
although a single malicious guard node may not compromise the communication,
it may be required to the attacker to own the entry node of a Tor circuit [
4
].
In order to induce a Tor client to adopt a speci c malicious entry node, it
is possible to drop communications of the client to public entry nodes, except
the attackers ones [
27
]. This operation can be accomplished, for instance, by
altering tra c capabilities of the victim, blocking connections to legitimate entry
nodes at the network level through appropriate policies, de ned, e.g., by network
administrators or local Internet Service Providers.
Raptor Routing attacks on privacy in Tor (RAPTOR) [
28
] is a suite of attacks
that can be launched by the Autonomous System (AS) [
22
] to deanonymize
clients. One of the attacks is based on tra c analysis of asymmetric
communications that characterize the network. Another attack exploits the natural churn
in Internet routing and BGP paths to accomplish tra c analysis. Finally, the
last attack is based on Internet routing manipulation through BGP hijacking
activities, accomplished to discover users' Tor guard nodes.
Unpopular ports exploitation This attack exploits the fact Tor exit nodes often
limit the range of ports they can connect to on the public surface Internet [
24
].
The attack attempts to retrieve clients identity by making use of a set of
malicious entry nodes and a set of malicious exit nodes. Exit nodes controlled by
the attacker support communications on unpopular ports. It is also required to
the attacker to control the service host contacted by the client [
3
]. The attacker
aim is to induce the client to create a Tor circuit through an entry node and
an exit node under the control of the malicious user. Such con guration would
allow the attacker to retrieve the identity of the Tor client, for instance through
tra c correlation techniques [
29
].
In order to perpetrate the attack, the malicious user injects a script into
the web page requested by the client, thus inducing the browser to open a
connection to an Internet service listening on unpopular port. Such connection is
established through the Tor network. This behaviour will induce the client to
create a Tor circuit allowing communication on the speci ed unpopular port.
Since the attacker controls a set of exit nodes supporting such communication,
the probability to control the exit node of the circuit increases.
Low-resource routing attacks In order to perpetrate such attack, the adversary
has to enroll or compromise some high-bandwidth, high-uptime Tor routers [
5
].
By assuming such compromising, the attacker can decrease the resource
requirements of the malicious node, by using low-bandwidth connections, hence
exploiting the possibility of a node to report incorrect bandwidth values. Since
this advertisement is not veri ed by trusted directory servers [
23
], the relay
node appears to have a high-bandwidth and its chance to be chosen for a circuit
is particularly high2. In case both the entry and the exit nodes in a circuit are
2 Currently, this approached is no longer possible to adopt, since directory servers
control the e ective bandwidth declared.
compromised, all information received may be logged and processed, for instance
through tra c correlation approaches, to reveal the IP address of the client.
3.2
Attacks to the server
In this kind of threats, the purpose of the attacker is to target the hidden service,
in order to reveal its identity or to weaken it. Indeed, as previously mentioned,
the Tor network can be adopted in order to access services both on the public
surface Internet and Tor (hidden services). In the latter case, the identity of
the service is unknown to the client [
5
]. Concerning attacks whose purpose is to
reveal the hidden service IP address, the following assumptions may be required
[
12
]: (i) the attacker has to impersonate a malicious client and a guard node;
(ii) the hidden service is forced to choose a compromised guard node as entry
node. Di erent attacks to hidden services are available.
Cell counting and padding During such attacks [
12, 30
], the hidden service is
forced to establish a connection to a malicious rendezvous point. The attacker
sends a speci cally crafted Tor cell/packet to the introduction point of the hidden
service, specifying the chosen rendezvous point [
31
]. Hence, the introduction
point forwards the message to the hidden service, that is induced to build a Tor
circuit to reach the (malicious) rendezvous point. When the rendezvous point
receives the message (containing some sort of cookie/token generated from the
client), it is designed to send a speci c number (50) of padding cells to the hidden
service, by using the same circuit. Such padding cells, supported by the protocol
and discarded by the hidden service, simpli es the generation of a signatures on
the tra c [
24
]. At this point, the rendezvous point terminates/closes the circuit.
The entry node, supposed to be controlled by the attacker, monitors the tra c
of the circuits that pass through it. If it receives a cell including the circuit
closure, it will verify that such reception occurs after the reception of the cell
containing the con rmation cookies, and that the number of past cells is 3 cells
up through the circuit and 53 down through the circuit. If these conditions are
met, the attacker can deduce that the guard node he owns was chosen from the
hidden service, hence, it is possible for the attacker to retrieve the IP address of
the hidden service.
Tor cells manipulation By manipulating Tor cells/packets it is possible to
locate a targeted hidden service [
12
]. Particularly, when the client sends a cell to a
hidden service to initiate the communication, the request is "proxed" by the
rendezvous point, that is assumed to be controlled by the attacker. Such condition
provides to the malicious user the ability to detect the request and apply minor
changes to the message/cell data (even a single bit may be changed, hence
making the cell not compliant to the protocol), thus forwarding the message to the
hidden service and simultaneously sending a timestamp of the modi ed cell to a
central server under the control of the attacker. The cell may not be recognized
as an intact cell from the hidden service, that would send back a destroy message
to the client. This message, directed from hidden service to the client, is designed
to pass from hidden services entry node (controlled by the attacker) rst, that
may send to the central server some cells information like the command speci ed
on the cell (CELL DESTROY), the cell timestamp, the circuit ID and the source IP
address. At this point, the cell is designed to reach the rendezvous point, which
may report the central server the timestamp of the cell before forwarding it to
the client. Finally, from the central server, through time correlation may nd
the IP address of the hidden service.
Caronte attack Caronte [
32
] is a tool to automatically identify location leaks
in hidden services. Such information includes, i.e., sensitive data in the content
served by the hidden service or the con guration of the server, potentially able
to disclose the IP address of the hidden service. These location leaks are usually
introduced by the administrator of the hidden service and, in virtue of this, they
do not refer to some sort of vulnerability of Tor.
O -path MitM This attack is based on the execution of a man-in-the-middle
(MitM) attack against a Tor hidden service [
33
]. In particular, by assuming
the private key adopted by the hidden service to communicate on the network is
owned by the attacker, it is possible to accompish a MitM attack. The important
aspect in this case is that it is not required the attacker to be located in the
communication path between the client and the server.
3.3
Attacks to the network
In this case, the target of the attack is the Tor network itself. By targeting the
entire network, it is important to consider that in this case, multiple nodes may
be a ected by the malicious activities. Hence, in this case, the attack e ects
may be propagated to the entire network, instead, for instance, to a ect a single
node.
Bridge discovery In this case, the aim is to retrieve information on Tor bridge
nodes. Such information are not publicly available [
15
]. Two di erent bridge
discovery approaches are considered [
34
]: from one side, it is possible to enumerate
Tor bridges through bulk emails and HTTPS servers over Tor. From the other
side, it is possible to adopt a malicious Tor middle router/node to exploit the
weighted bandwidth routing algorithms of Tor for bridge discovery purposes.
Denial of service Denial of service (DoS) attacks are executed to make a network
component or service not available on the network, or to reduce its availability.
A DoS attack against the Tor network is CellFlood [
17
]. This attack exploits the
fact that adopting a private key to perform 1024-bit operations is, on modern
servers, about 20 time slower than performing the same operations with the
public key. Therefore, in order to process a Tor cell is 4 times longer/heavier,
compared to create it. This approach may lead a malicious client to ood a
targeted node with speci cally created cells, in order to seize all the computing
resources of the target, hence leading to a denial of service.
Sniper The Sniper attack [
32
] exploits the ow control algorithm of Tor, by
executing a DoS attack against a target Tor relay, killing the Tor process on
the machine. This is reached by forcing a node to bu er large amounts of data
(utilizing valid protocol messages) until it is overloaded and forced o ine. The
adversary can attacks a huge number of nodes to degrade network capabilities
and increase the chance for a client to choose an attacker's node. In the paper two
attacks are described: (i) the attacker stops reading from the TCP connection
containing the attack circuit, which causes the TCP window on the victim's
outgoing connection to close and the victim to bu er up to 1000 cells; (ii) the
attacker causes cells to be continuously sent to the victim (exceeding the 1000
cell limit and consuming the victim's memory resources), either by ignoring the
package window at packaging end of the circuit, or by continuously sending
SENDME messages3 from the delivery end to the packaging, end even though no
cells have been read by the delivery end.
3.4
Generic attacks
Since attacks may not target a single Tor entity (client, server, network), in the
following we report a set of attacks designed to target multiple entities.
Tra c analysis attacks This kind of attacks is based on network tra c analysis
[
4
]. For this type of attack, packets are inserted server-side, trying to observe
these packets from client-side through a statistical correlation. The goal is to
derive the circuit established by the client and associate the client with the
observed packets from the exit node. It is assumed that the attacker is able to
observe the tra c that enters and leaves the Tor network through the nodes, at
various points. The proposed attack, tries to force the client to make a connection
to a malicious server, such that it is able to inject a speci c repetitive tra c in
the TCP connection. The attacker in possession of a great amount of entry
node, will observe tra c between various entry node and client, and then will
try to detect that speci c tra c entered by the malicious server. Once the tra c
is recognized, by statistical correlation, it is possible associate tra c with the
client, so obtaining Tor circuit used. In general, it has been proved that it is
possible to counter tra c analysis methods by employing mixing strategies [
35
].
Timing attacks This attack represents a variant of tra c analysis attack
previously mentioned. Indeed, timing attacks [
24, 36
] try to obtain a relationship
between the client and the server, by observing exchanged packets to accomplish
temporal correlation. The attacker must in this case own both the entry and the
exit node of the victim's circuit. In this case, it is possible to associate packets
to a de ned client/server, through a temporal analysis, even though the
content of the packet is unknown or encrypted. Tra c may be actively temporarily
interrupted at prede ned intervals, in order to facilitate correlation. In order
3 A SENDME message speci es the exit node to increase its congestion window, hence
to continue to pull data from the external source and forward it into the Tor circuit.
to protect the nodes from this types of attacks, Tor nowadays embed packets
bu ering, delaying and shu ing approaches.
It is also possible to combine the same approach to accomplish tra c analysis
[
37
]. In this case, by executing timing attacks on the tra c related to the victim
and adopting tra c analysis to accomplish bandwidth estimation, the attack is
able to infer the network identity of an anonymous client, hidden service, and
anonymizing proxies.
Shaping attacks This attack represents a variation of the timing attack
previously described. While in case of timing attacks, tra c may be interrupted
for speci c periods, in this case, the attack actively alters the tra c shape to
facilitate correlation. By analyzing and comparing the shape, it is possible to
identify variations from the expectations [
29
] to compare di erent tra c ows
and correlate the tra c with higher con dence.
4