Effectiveness and detection of denial of service attacks in Tor

Tor is currently one of the more popular systems for anonymizing near real-time communications on the Internet. Recently, Borisov et al. proposed a denial of service based attack on Tor (and related systems) that significantly increases the probability of compromising the anonymity provided. In this paper, we analyze the effectiveness of the attack using both an analytic model and simulation. We also describe two algorithms for detecting such attacks, one deterministic and proved correct, the other probabilistic and verified in simulation.

💡 Research Summary

The paper investigates a denial‑of‑service (DoS) based attack on the Tor anonymity network, originally described by Borisov et al., and evaluates both its effectiveness and possible counter‑measures. The authors first model Tor as a fully connected undirected graph where vertices represent relays and edges represent network links. A Tor circuit consists of three relays (entry, middle, exit). The attacker controls a subset of relays that have Guard and/or Exit flags. Key attacker parameters are defined: g (fraction of total Guard bandwidth controlled), e (fraction of total Exit bandwidth controlled), z (fraction of Guard‑Exit bandwidth controlled), p_kill (probability of killing a compromised but uncontrolled circuit), and p_permit (probability of allowing a circuit that the attacker already controls).

Using these parameters, the paper derives closed‑form expressions for the probability that a compromised relay is selected as entry, middle, or exit, taking into account Tor’s bandwidth‑weighting scheme (weights w_G, w_E, w_Z derived from the overall fractions γ = G/T, η = E/T, ζ = Z/T). The analysis shows that even with modest g and e values, an attacker who always kills compromised but uncontrolled circuits (p_kill = 1) and never kills controlled circuits (p_permit = 1) can dramatically increase the chance of eventually controlling a client’s circuit, because each forced rebuild gives the attacker a fresh opportunity to be selected as both entry and exit.

The effectiveness is quantified through a thought experiment: a client repeatedly builds circuits until a “successful” circuit is obtained (i.e., not killed by the attacker) or until K attempts have failed, at which point the client gives up. The probability that the attacker ultimately controls the client’s successful circuit is computed as a function of g, e, p_kill, p_permit, and the fixed network parameters γ = 0.70, η = 0.40, ζ = 0.30 (values measured from the live Tor network in June 2011). Simulations based on real Tor trace data confirm the analytic predictions and illustrate how varying p_kill and p_permit shifts the attacker’s success curve.

For detection, the authors first prove a deterministic algorithm: in an idealized Tor‑like system with n relays, probing at most 3 n distinct paths is sufficient to identify any attacker who forces circuit rebuilds, because the attacker’s relays will exhibit an anomalously high circuit‑kill rate across those probes. While theoretically sound, this approach is impractical for large networks due to the required probing volume.

Consequently, a more practical probabilistic detection algorithm is proposed. It randomly selects O(log n) paths, measures the proportion of killed circuits on each relay, and applies a statistical hypothesis test to flag relays whose kill rate exceeds a threshold derived from the expected baseline. Simulations show that when p_kill ≥ 0.6, the algorithm detects the attacker with >95 % success while maintaining a false‑positive rate below 2 %. The authors also evaluate the impact of relaxing the analytical assumptions (e.g., non‑replacement path selection, natural relay failures unrelated to the attacker) and find that detection performance degrades only modestly, indicating robustness in realistic settings.

The paper discusses operational considerations for deploying the detection mechanisms in the live Tor network, such as the additional traffic overhead, privacy implications of probing, and coordination with relay operators. It also compares the proposed detection methods with prior client‑level defenses (e.g., Das and Borisov 2011) and argues that the probabilistic algorithm offers superior detection accuracy with manageable implementation complexity.

Overall, the study provides a rigorous quantitative assessment of DoS‑based circuit‑control attacks on Tor, demonstrates that such attacks can significantly compromise anonymity under realistic attacker capabilities, and introduces both a theoretically optimal and a practically viable detection framework, thereby contributing valuable tools for strengthening Tor’s security posture.