Security and performance implications of BGP rerouting-resistant guard selection algorithms for Tor

Abstract

Tor is the most popular anonymization network with millions of daily users. This makes it an attractive target for attacks, e.g., by malicious autonomous systems (ASs) performing active routing attacks to become man in the middle and deanonymize users. It was shown that the number of such malicious ASs is significantly larger than previously expected due to the lack of security guarantees in the Border Gateway Protocol (BGP). In response, recent works suggest alternative Tor path selection methods preferring Tor nodes with higher resilience to active BGP attacks.In this work, we analyze the implications of such proposals and demonstrate that two state-of-the-art path selection methods, namely Counter-RAPTOR and DPSelect, are not as secure as thought before. First, we show that DPSelect achieves only one third of its originally claimed resilience and, thus, is not as resilient as widely accepted. Second, we reveal that the resilience to active BGP attacks on the way back, i.e., from the first anonymization node to a given Tor user, provided by both methods is significantly lower than on the forward path. Beside their lower resilience in specific cases, we show that for particular users the usage of Counter-RAPTOR and DPSelect also leads to leakage of user’s location. Furthermore, we uncover the performance implications of both methods and identify scenarios where their usage leads to significant performance bottlenecks. Finally, we propose a new metric to quantify the user’s location leakage by path selection. Using this metric and performing large-scale analysis, we show to which extent a malicious Tor middle node can fingerprint the user’s location and the confidence it can achieve. Our findings shed light on the implications of path selection methods on the users’ anonymity and the need for further research.