Large, routing-capable adversaries such as nation-states have
the ability to censor and launch powerful deanonymization attacks
against Tor circuits that traverse their borders. Tor allows
users to specify a set of countries to exclude from circuit
selection, but this provides merely the illusion of control, as
it does not preclude those countries from being on the path
between nodes in a circuit. For instance, we find that circuits
excluding US Tor nodes definitively avoid the US 12% of the time.
We introduce DeTor
, a set of techniques for proving when
a Tor circuit has avoided user-specified geographic regions. DeTor
extends some of our prior work on Alibi Routing
a peer-to-peer system that allows users to understand and
control where in the world their packets don't
WHY DOES TOR NEED PROVABLE AVOIDANCE?
Powerful, routing-capable attackers control large networks within the
Internet. Some countries block at their borders communication with
particular end-hosts. Other countries have been known to monitor
communication through their borders. These capabilities pose threats
- Censorship: An attacker can block Tor traffic
between two Tor routers if that traffic happens to traverse
the attacker's network. This makes it more challenging to establish
working Tor circuits.
- Deanonymization: By monitoring communication between Tor
routers, attackers can correlate the traffic patterns. If the attacker can
match the entry leg of a circuit to the exit leg of the circuit, then it can
deanonymize the source and destination of a circuit, ultimately defeating the
primary purpose of Tor.
The idea behind provable avoidance is to keep traffic from traversing regions of
the world that might be launching attacks like these.
WHAT DOES DeTor AVOID?
DeTor offers two kinds of avoidance:
- Never-once proves that packets forwarded along a circuit
never traversed a given geographic region, even once. With this,
users can avoid website fingerprinting attacks and censoring regimes.
- Never-twice proves that packets forwarded along a circuit
do not reveal more information to a geographically
constrained adversary than is strictly necessary by ensuring
that they do not appear on two non-contiguous legs
of the Tor circuit. With this, users can prevent certain
For both of these kinds of avoidance, DeTor offers proof
has successfully avoided singly or doubly traversing a geographic region.
HOW DOES DeTor WORK?
At a high level, DeTor first computes shortest possible geographic
distance a packet would have to travel to go through a given Tor
through parts of the world the users wishes it to
avoid. Because information cannot travel faster than the speed of
light, the shortest distance
also tells us the shortest
to go through the circuit and the forbidden regions. If
this time is greater than the measured round-trip-time to actually
communicate through the circuit, then this tells us it could not have
gone through the forbidden region.
For detailed information, please view our
USENIX Security 2017 paper
WHY NOT JUST USE traceroute?
In short, because using tools like
traceroute does not give
us the ability to prove that we have avoided attackers' networks.
A tempting way to tell whether a given circuit avoids a geographic
region is to measure the very routers on the path using a tool like
traceroute: if an attacker's routers can be shown to be on
the circuit's path, then one should simply avoid that circuit.
Unfortunately, it is relatively straightforward for attackers to hide
at least parts of their networks from tools like
(For instance, they could forward packets without decrementing TTLs or
they could simply not send back ICMP responses when TTL=0.) It is not
uncommon for even benign network operators to avoid responding to such
tools, as it potentially allows an attacker to map one's networks.
CODE AND DATA
The code and data from our USENIX Security 2017 paper are available
(code & data)
(3 MB) Contains the DeTor simulation code as well as the initial
input files describing Tor nodes and latencies. Instructions for building and
running are provided in the README.
DeTor: Provably Avoiding Geographic Regions in Tor
Zhihao Li, Stephen Herwig, Dave Levin
USENIX Security 2017
The following people have contributed to this project: