Mitigating Fingerprinting Attacks Against Location Based Path Selection in Tor

Abstract

The Tor network is vulnerable to both passive attacks as well as active attacks that manipulate network routing. These attacks degrade a client’s anonymity and privacy. Location based path selection algorithms, such as DeNASA and Counter-RAPTOR have been suggested to increase the network’s resilience to such active attacks. However, these selection schemes depend on the client’s location, and thus, over multiple selections leak probabilistic information about the client’s identity. This leaves a client vulnerable to statistical fingerprinting attacks. An autonomous system (AS) level adversary can observe these guard selections and deanonymise Tor clients. This work proposes and investigates the use of client aliasing. Client aliasing is when client ASes are clustered together, and member ASes mimic the guard selection behaviour of the cluster representative. Clustering provides a minimum anonymity set for Tor clients, which makes them resilient to statistical fingerprinting attacks, since an AS level adversary may be able to locate the cluster of ASes that the client is from, but will not be able to pinpoint the specific AS the Tor client is from. It is expected however, that when member ASes mimic the guard selection behaviour of the representative AS, some of the resilience gained from location based path selection will be lost. Client aliasing on the DeNASA algorithm is investigated. Several metrics are tested and presented. The results show that using client aliasing can be used to mitigate against fingerprinting attacks without significantly degrading the security properties of using location based path selection schemes against active attacks.