Securing Tor Tunnels under the Selective-DoS Attack

Anonymous communication systems are subject to selective denial-of-service (DoS) attacks. Selective DoS attacks lower anonymity as they force paths to be rebuilt multiple times to ensure delivery which increases the opportunity for more attack. In this paper we present a detection algorithm that filters out compromised communication channels for one of the most widely used anonymity networks, Tor. Our detection algorithm uses two levels of probing to filter out potentially compromised tunnels. We perform probabilistic analysis and extensive simulation to show the robustness of our detection algorithm. We also analyze the overhead of our detection algorithm and show that we can achieve satisfactory security guarantee for reasonable communication overhead (5% of the total available Tor bandwidth in the worst case). Real world experiments reveal that our detection algorithm provides good defense against selective DoS attack.

💡 Research Summary

The paper addresses a critical vulnerability in the Tor anonymity network: selective denial‑of‑service (DoS) attacks performed by compromised relays. In such attacks a malicious relay drops traffic whenever it detects that the circuit does not contain both a compromised entry and a compromised exit, forcing the client to rebuild circuits repeatedly. This increases the probability that a future circuit will contain two compromised relays, thereby degrading anonymity. Existing defenses, such as exhaustive probing and centralized black‑listing, are impractical because they require probing on the order of the entire network size.

The authors propose a lightweight, client‑side detection algorithm that operates in two phases. Phase 1 builds a set of N random Tor circuits following the standard path‑selection algorithm and probes each circuit by retrieving a small web file. Under selective DoS only two types of circuits survive: (i) fully compromised circuits (C‑X‑C, where both entry and exit are malicious) and (ii) fully honest circuits (H‑H‑H). Phase 2 cross‑checks each surviving circuit against K other “candidate” circuits. For each candidate the exit relay of the evaluated circuit is swapped with the candidate’s exit relay, and the modified circuit is probed again. If at least Th of the K probes succeed, the evaluated circuit is classified as honest; otherwise it is deemed compromised. Because most circuits in the pool are honest, a compromised circuit will usually be paired with honest exits and will fail the probe, while an honest circuit will succeed more often.

The paper develops a probabilistic model to quantify false‑positive (FP) and false‑negative (FN) rates. The number of compromised circuits after Phase 1 follows a binomial distribution with success probability derived from the overall compromised‑relay fraction t and the fraction of compromised guard relays g. Conditional on the numbers of compromised (c) and honest (h = N‑c) circuits, the probability of FN is computed using a hypergeometric distribution that captures the chance of selecting at least Th compromised candidates among K draws. An analogous expression yields the FP probability. By selecting appropriate values for N, K, and Th, the authors demonstrate that FN can be kept below 5 % while FP stays under 2 % for realistic values of t (≤ 0.2) and g (≤ 1/3).

Performance evaluation combines extensive simulations and real‑world experiments. Simulations explore a range of compromised‑relay fractions (t = 0.1–0.3) and natural network failure rates (d). Results show that the algorithm requires roughly 5 % of the total Tor bandwidth for probing traffic and can refresh a pool of usable circuits within about ten minutes. Real‑world tests involve deploying a set of malicious relays that execute selective DoS; the detection algorithm successfully filters out compromised circuits, leaving only honest ones for actual traffic. The authors also consider adaptive adversaries who may probabilistically drop traffic or attempt to blend probes with normal traffic. They argue that modest adjustments to K and Th mitigate these strategies without incurring prohibitive overhead.

Compared with prior work, the proposed method avoids a centralized blacklist, reduces probing load dramatically, and can be run independently by each client. However, the approach assumes that the fraction of compromised guard relays remains low; if many guards are malicious, the detection cost rises and the attack’s impact is amplified. The paper acknowledges this limitation and suggests future work on guard‑selection hardening.

In summary, the authors present a practical, probabilistic detection scheme that substantially mitigates selective DoS attacks on Tor while imposing modest bandwidth overhead, thereby strengthening the overall anonymity guarantees of the network.