De-anonymizing BitTorrent Users on Tor

Some BitTorrent users are running BitTorrent on top of Tor to preserve their privacy. In this extended abstract, we discuss three different attacks to reveal the IP address of BitTorrent users on top of Tor. In addition, we exploit the multiplexing of streams from different applications into the same circuit to link non-BitTorrent applications to revealed IP addresses.

💡 Research Summary

The paper investigates how users who run BitTorrent over the Tor anonymity network can be de‑anonymized. It presents three concrete attacks that exploit weaknesses in the BitTorrent protocol rather than in Tor itself, and demonstrates that these attacks are practical by operating six Tor exit nodes for 23 days.

Attack 1 – Announce/Handshake Inspection
BitTorrent clients often include their public IP address in the HTTP “announce” request sent to a tracker or in the optional “extended handshake” message exchanged after the TCP connection is established. By eavesdropping on traffic exiting a Tor node, an adversary can parse these fields and immediately learn the user’s real IP. The authors note that not all clients embed accurate IP information, so this method is opportunistic rather than universal.

Attack 2 – Tracker Response Hijacking
When a tracker replies with a list of peers (IP + port pairs), the attacker modifies the response to insert a peer under his control. The victim, still using Tor to reach the tracker, will subsequently open a direct TCP connection to the injected peer. Because the connection still traverses the attacker’s exit node, the node can read the IP header and recover the user’s true source address. This hijack works whenever the user relies on the tracker for peer discovery, even if the subsequent peer‑to‑peer traffic also goes through Tor.

Attack 3 – DHT Exploitation
BitTorrent’s Distributed Hash Table (DHT) uses UDP for node discovery. Tor does not support UDP, so a client that cannot reach the DHT via its Tor interface falls back to its public network interface, thereby publishing its public IP address into the DHT. An adversary monitoring the DHT can correlate the content identifier (info‑hash) and the uniformly distributed port number that pass through the exit node with entries in the DHT, pinpointing the user’s real IP. This attack is highly accurate and works even when the user employs Tor for all peer connections.

The authors also exploit Tor’s stream multiplexing: all TCP streams created by a user within a 10‑minute window share the same circuit. By linking a de‑anonymized BitTorrent IP to other streams on the same circuit, the attacker can profile the user’s web‑browsing habits, effectively extending the privacy breach beyond file‑sharing.

Experimental Results
Operating six exit nodes, the researchers collected close to 9,000 distinct public IP addresses belonging to BitTorrent users on Tor. They demonstrated successful de‑anonymization via the hijack and DHT attacks, and showed that the multiplexing property allowed them to associate web traffic with the same IP.

Implications and Countermeasures
The study reveals that Tor’s anonymity guarantees do not extend to protocols that leak identifying information themselves. Mitigations include: (1) modifying BitTorrent clients to omit IP fields in tracker communications and to avoid falling back to the public interface for DHT lookups; (2) securing tracker responses with TLS or digital signatures to prevent tampering; (3) extending Tor to support UDP or providing a separate anonymizing tunnel for DHT traffic. However, these changes require coordinated updates to both the BitTorrent ecosystem and the Tor infrastructure, which are not currently in place.

In conclusion, the paper demonstrates that using Tor to hide BitTorrent activity provides a false sense of privacy. Even a modest adversary who controls a Tor exit node can reliably recover users’ real IP addresses and, by leveraging stream multiplexing, can also infer broader online behavior. The findings call for a reassessment of privacy expectations for P2P applications running over anonymity networks.