DeTor: Provably Avoiding Geographic Regions in Tor

Large, routing-capable adversaries such as nation-states have the ability to censor and launch powerful deanonymization attacks against Tor circuits that traverse their borders. Tor allows users to specify a set of countries to exclude from circuit selection, but this provides merely the illusion of control, as it does not preclude those countries from being on the path between nodes in a circuit. For instance, we find that circuits excluding US Tor nodes definitively avoid the US 12% of the time.

We introduce DeTor, a set of techniques for proving when a Tor circuit has avoided user-specified geographic regions. DeTor extends some of our prior work on Alibi Routing, a peer-to-peer system that allows users to understand and control where in the world their packets don't go.

Powerful, routing-capable attackers control large networks within the Internet. Some countries block at their borders communication with particular end-hosts. Other countries have been known to monitor communication through their borders. These capabilities pose threats to Tor:

• Censorship: An attacker can block Tor traffic between two Tor routers if that traffic happens to traverse the attacker's network. This makes it more challenging to establish working Tor circuits.
• Deanonymization: By monitoring communication between Tor routers, attackers can correlate the traffic patterns. If the attacker can match the entry leg of a circuit to the exit leg of the circuit, then it can deanonymize the source and destination of a circuit, ultimately defeating the primary purpose of Tor.

The idea behind provable avoidance is to keep traffic from traversing regions of the world that might be launching attacks like these.

DeTor offers two kinds of avoidance:

• Never-once proves that packets forwarded along a circuit never traversed a given geographic region, even once. With this, users can avoid website fingerprinting attacks and censoring regimes.
• Never-twice proves that packets forwarded along a circuit do not reveal more information to a geographically constrained adversary than is strictly necessary by ensuring that they do not appear on two non-contiguous legs of the Tor circuit. With this, users can prevent certain deanonymization attacks.

For both of these kinds of avoidance, DeTor offers proof that it has successfully avoided singly or doubly traversing a geographic region.

At a high level, DeTor first computes shortest possible geographic distance a packet would have to travel to go through a given Tor circuit and through parts of the world the users wishes it to avoid. Because information cannot travel faster than the speed of light, the shortest distance also tells us the shortest time to go through the circuit and the forbidden regions. If this time is greater than the measured round-trip-time to actually communicate through the circuit, then this tells us it could not have gone through the forbidden region.

For detailed information, please view our USENIX Security 2017 paper.

In short, because using tools like traceroute does not give us the ability to prove that we have avoided attackers' networks.

A tempting way to tell whether a given circuit avoids a geographic region is to measure the very routers on the path using a tool like traceroute: if an attacker's routers can be shown to be on the circuit's path, then one should simply avoid that circuit.

Unfortunately, it is relatively straightforward for attackers to hide at least parts of their networks from tools like traceroute. (For instance, they could forward packets without decrementing TTLs or they could simply not send back ICMP responses when TTL=0.) It is not uncommon for even benign network operators to avoid responding to such tools, as it potentially allows an attacker to map one's networks.

The following people have contributed to this project:

• Zhihao Li (University of Maryland)
• Stephen Herwig (University of Maryland)
• Soumya Indela (University of Maryland)
• Dave Levin (University of Maryland)