Tor is an anonymity network that allows users to browse the internet privately and access hidden services anonymously. It works by routing traffic through a distributed network of volunteer servers run by ordinary people, making it difficult to trace back traffic to its source. While Tor aims to provide strong anonymity, attacks are still possible against the network depending on the resources and level of access an attacker has, such as corrupting entry, exit or directory servers. Website fingerprinting through machine learning is one such attack that can analyze traffic patterns to recognize sites visited over Tor.

1. 12th CENTRAL & EASTERN EUROPEAN
SOFTWARE ENGINEERING CONFERENCE IN RUSSIA
October 28 - 29, Moscow
Aleksandr Lazarenko
Anonymity of Tor: myth and reality
NRU HSE

2. 2
What
is
Tor?

3. The Onion Router
Anonymous network
Volunteer servers
Free software
Browser
&
Messenger
3

4. 4

5. 5
Tor is
distributed

6. 6
Every server is VOLUNTEER

7. 7
So what

8. 8
The larger the
network

9. 9
The greater
the anonymity

10. 10

11. 11
1998
The Onion Routing
DARPA*
Free Haven Project
MIT
* Defense Advanced Research Projects Agency

12. 12
2002
DECLASSIFIED
Launched
Open-source

13. 13
2009
Mozilla Firefox
Out-of-the box
Browser
Tor inside

14. 14
Tor
Messenger
2015
Private chats
Anonymity
Messenger
Tor inside

15. 15

16. 16
2 000 000
Users per day

17. 17
0 50000 100000 150000 200000 250000 300000 350000 400000 450000
Netherlands
Japan
Brazil
Italy
Spain
UK
Russia
France
Germany
USA
Number of users per day

18. 18
Unique
Hidden
Services

19. 19
Tor
Relays

20. Who are users?
20

21. Just
people
21

22. Journalists
&
Bloggers
22

23. Police
&
friends
23

24. Business
24

25. Military
25

26. IT
pros
26

27. Crime
27

28. WHY
DEEP WEB?
28

29. Because
HIDDEN Services!
29

30. 30
Anonymous
server
2004
Only for Tor
.onion
Anonymity for Servers

31. 31
Inaccessible
On the
Internet

32. WikiLeaks:
32
http://suw74isz7wqzpmgu.onion

33. 33
How
does it
work?

34. 34
Tor Client
User
Connects with Tor
Has installed soft
Any PC

35. 35
Entry guard
Relay
Speaks with Client
Encrypts data
Retranslates data
Entry

36. 36
Middle
Relay
Speaks with Entry
Encrypts data
Speaks with Exit
Entry
Middle
Exit

37. 37
Exit
Relay
Speaks with Middle
Encrypts data
Speaks with Endpoint
Exit
Middle
Endpoint

38. Default circuit
middle
exit
Endpoint
entry
Encrypted connection
Just connection
38
Tor Client

39. Client
receives the
list of all Tor
nodes from
directory
server
Tor Client
Directory server
Endpoint #1
Endpoint #2
Encrypted connection
Just connection
39
Step #1

40. Client
initializes the
random path
through the
network
Endpoint 1
Endpoint 2
entry
middle
exit
40ы
Encrypted connection
Just connection
Step #2
Tor Client
Directory server

41. Client
initializes
another
random path
Endpoint 1
Endpoint 2
entry
middle
exit
41
Tor Client
Directory server
Encrypted connection
Just connection
Step #3

42. 42

43. 43
ONLY
CRIMINALS
USE
TOR

44. 0
2
4
6
8
10
12
14
16
18
Porn Drugs Politics Forgery Anonymity
44
The most popular content

45. 45

46. 46
TOR IS
ANONYMOUS
COMPLETELY

47. Gov.
VS
Tor 47

48. 48
Silk Road
Used to be the biggest Drug Store
Revenue:
9.5 mln BTC
Closed by FBI
Founder is
life sentenced

49. 49

50. Attacker only observes
traffic, without
modifying it
Attacks
Attacker observes and
modifies traffic
Passive Active
50

51. 51
Classification
# Resources Attacks
1 Corrupted entry guard  Website fingerprinting attack
2 Corrupted entry and exit nodes  Traffic analysis
 Timing attack
 Circuit fingerprinting attack
 Tagging attack
3 Corrupted exit node  Sniffing of intercepted traffic
4 Corrupted entry and exit nodes,
external server
 Browser based timing attack with
JavaScript injection
 Browser based traffic analysis attack
with JavaScript injection
5 Autonomous system  BGP hijacking
 BGP interception
 RAPTOR attack
6 Big number of various
corrupted nodes
 Packet spinning attack
 CellFlood DoS attack
 Other DoS and DDoS attacks

52. Website
fingerprinting
attack
52

53. The Idea:
Data mining Machine learning
53

54. Attackers strategy
Tor Client
Entry
Exit
DB
website
Data mining
Classifier
training
Website
recognition
54

55. Feature extraction levels
55
Cell 1 Cell 2 Cell 3 Cell 4 Cell 5
Record 1 Record 2
Packet 1 Packet 2 Packet 3
Cells
TLS
TCP

56. Attack as a classification problem
Classes
Tracked
websites
Other
56

57. 57
The Oracle problem!
Problem?

58. 58

59. 59
7
Websites
5
Men
1
Relay
80Traffic
Instances
5Uploads
per website
0.71
Accuracy
5Seconds
split

60. Aleksandr Lazarenko
avlazarenko@edu.hse.ru
60