Measuring and mitigating AS-level adversaries against Tor

The popularity of Tor as an anonymity system has made it a popular target for a variety of attacks including blocking, denial of service, and traffic correlation attacks. In this paper, we focus on traffic correlation attacks which are no longer solely in the realm of academic research with recent revelations about the NSA and GCHQ actively working to implement them in practice. We specifically focus on recently exposed traffic correlation attacks that leverage asymmetric routing and information gained on reverse network paths (e.g., via TCP ACK numbers) to deanonymize Tor users. First, we present an empirical study which leverages scalable algorithmic simulations of routing policies on an up-to-date map of the Internet's topology, including complex AS relationships and sibling ASes. Our approach allows us to gain a high fidelity snapshot of the threat of traffic correlation correlation attacks in the wild. In these experiments we find that up to 58% of all circuits created by Tor are vulnerable to attacks by traffic correlation and colluding sibling ASes. In addition, we find that in some regions (notably, China) there exist many cases where it is not possible for Tor to construct a circuit that is safe from these correlation attacks, regardless of the relay selection algorithm used. To mitigate the threat of such attacks, we build Astoria -- an AS-aware Tor client. Astoria leverages recent developments in network measurement to perform path-prediction and intelligent relay selection. Astoria not only reduces the number of vulnerable circuits to under 5.1%, but also considers how circuits should be created when there are no safe possibilities. Astoria also performs load balancing across the Tor network, so as to not overload low capacity relays. In addition, Astoria provides reasonable performance even in its most secure configuration.