Shining Light in Dark Places: Understanding the Tor Network

  • Damon McCoy
  • Kevin Bauer
  • Dirk Grunwald
  • Tadayoshi Kohno
  • Douglas Sicker
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5134)

Abstract

To date, there has yet to be a study that characterizes the usage of a real deployed anonymity service. We present observations and analysis obtained by participating in the Tor network. Our primary goals are to better understand Tor as it is deployed and through this understanding, propose improvements. In particular, we are interested in answering the following questions: (1) How is Tor being used? (2) How is Tor being mis-used? (3) Who is using Tor?

To sample the results, we show that web traffic makes up the majority of the connections and bandwidth, but non-interactive protocols consume a disproportionately large amount of bandwidth when compared to interactive protocols. We provide a survey of how Tor is being misused, both by clients and by Tor router operators. In particular, we develop a method for detecting exit router logging (in certain cases). Finally, we present evidence that Tor is used throughout the world, but router participation is limited to only a few countries.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Dingledine, R., Mathewson, N., Syverson, P.: Tor: The second-generation onion router. In: Proceedings of the 13th USENIX Security Symposium (August 2004)Google Scholar
  2. 2.
    Wendolsky, R., Herrmann, D., Federrath, H.: Performance comparison of low-latency anonymisation services from a user perspective. In: Borisov, N., Golle, P. (eds.) PET 2007. Springer, Heidelberg (2007)Google Scholar
  3. 3.
    Goldberg, I.: On the security of the Tor authentication protocol. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Murdoch, S.J.: Hot or not: Revealing hidden services by their clock skew. In: 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA (November 2006)Google Scholar
  5. 5.
    Murdoch, S.J., Danezis, G.: Low-cost traffic analysis of Tor. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos (2005)Google Scholar
  6. 6.
    Øverlier, L., Syverson, P.: Locating hidden servers. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos (2006)Google Scholar
  7. 7.
    Bauer, K., McCoy, D., Grunwald, D., Kohno, T., Sicker, D.: Low-resource routing attacks against Tor. In: Proceedings of the Workshop on Privacy in the Electronic Society (WPES 2007), Washington, DC, USA (October 2007)Google Scholar
  8. 8.
    Goldschlag, D.M., Reed, M.G., Syverson, P.F.: Hiding routing information. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174. Springer, Heidelberg (1996)Google Scholar
  9. 9.
    Sicker, D.C., Ohm, P., Grunwald, D.: Legal issues surrounding monitoring during network research. In: IMC 2007: Proceedings of the 7th ACM SIGCOMM conference on Internet measurement. ACM Press, New York (2007)Google Scholar
  10. 10.
    Ethereal: A network protocol analyzer, http://www.ethereal.com
  11. 11.
    Bauer, K., McCoy, D.: Block insecure protocols by default (January 2008), https://tor-svn.freehaven.net/svn/tor/trunk/doc/spec/proposals/129-reject-plaintext-ports.txt
  12. 12.
    Zetter, K.: Tor researcher who exposed embassy e-mail passwords gets raided by Swedish FBI and CIA (November 2007), http://blog.wired.com/27bstroke6/2007/11/swedish-researc.html
  13. 13.
  14. 14.
  15. 15.
    Bethencourt, J., Franklin, J., Vernon, M.: Mapping Internet sensors with probe response attacks. In: Proceedings of the 14th conference on USENIX Security Symposium, Baltimore, MD. USENIX Association (2005)Google Scholar
  16. 16.
    Shinoda, Y., Ikai, K., Itoh, M.: Vulnerabilities of passive Internet threat monitors. In: Proceedings of the 14th conference on USENIX Security Symposium, Baltimore, MD. USENIX Association (2005)Google Scholar
  17. 17.
    Cesarini, P.: Caught in the Network. In: The Chronicle of Higher Education, Washington, D.C, vol. 53 (February 2007)Google Scholar
  18. 18.
    Tor: Response template for Tor node maintainer to ISP, http://www.torproject.org/eff/tor-dmca-response.html
  19. 19.
    Dingledine, R.: EFF is looking for Tor DMCA test case volunteers, http://archives.seul.org/or/talk/Oct-2005/msg00208.html
  20. 20.
    Johnson, P.C., Kapadia, A., Tsang, P.P., Smith, S.W.: Nymble: Anonymous IP-address blocking. In: Borisov, N., Golle, P. (eds.) PET 2007. Springer, Heidelberg (2007)Google Scholar
  21. 21.
    American Registry for Internet Numbers, http://www.arin.net/index.shtml
  22. 22.
    Asia Pacific Network Information Centre, http://www.apnic.net
  23. 23.
    Latin American & Caribbean Internet Addresses Registry, http://lacnic.net/en
  24. 24.
    Ripe Network Coordination Centre, http://www.ripe.net
  25. 25.
    African Network Information Centre, http://www.afrinic.net
  26. 26.
    Inernet World Stats, http://www.internetworldstats.com
  27. 27.
    McCoy, D., Bauer, K., Grunwald, D., Tabriz, P., Sicker, D.: Shining light in dark places: A study of anonymous network usage. University of Colorado Technical Report CU-CS-1032-07 (2007)Google Scholar
  28. 28.
    Feamster, N., Dingledine, R.: Location diversity in anonymity networks. In: Proceedings of the Workshop on Privacy in the Electronic Society (WPES 2004), Washington, DC, USA (October 2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Damon McCoy
    • 1
  • Kevin Bauer
    • 1
  • Dirk Grunwald
    • 1
  • Tadayoshi Kohno
    • 2
  • Douglas Sicker
    • 1
  1. 1.Department of Computer ScienceUniversity of ColoradoBoulderUSA
  2. 2.Department of Computer Science and EngineeringUniversity of WashingtonSeattleUSA

Personalised recommendations