Measuring and mitigating AS-level adversaries against Tor

The popularity of Tor as an anonymity system has made it a popular target for a variety of attacks including blocking, denial of service, and timing attacks. In this paper, we focus on timing attacks which are no longer solely in the realm of academic research with recent revelations about the NSA and GCHQ actively working to implement them in practice. We specifically focus on recently exposed timing attacks that leverage asymmetric routing and information gained on reverse network paths (e.g., via TCP ACK numbers) to deanonymize Tor users. First, we present an empirical study which leverages scalable algorithmic simulations of routing policies on an up-to-date map of the Internet's topology, including complex AS relationships and sibling ASes. Our approach allows us to gain a high fidelity snapshot of the threat of timing correlation attacks in the wild. In our experiments we find that 58% of all circuits created by Tor are vulnerable to attacks by timing correlation and colluding sibling ASes. In addition, we find that in some regions (notably, China) there exist a number of cases where it is not possible for Tor to construct a circuit that is safe from these correlation attacks. To mitigate the threat of such attacks, we build Astoria -- an AS-aware Tor client. Astoria uses leverages recent developments in network measurement to perform path-prediction and intelligent relay selection. Astoria not only reduces the number of vulnerable circuits to 5.8%, but also considers how circuits should be created when there are no safe possibilities. Astoria also performs load balancing across the Tor network, so as to not overload low capacity relays. In addition, Astoria provides reasonable performance even in its most secure configuration.