TorPolice – A Novel Framework For Enforcing Access Control Policies Across the Tor Network

The Tor network represents the most popular anonymity network, which is currently used by millions of users all over the world. Nevertheless, access control doesn’t exist for users of the Tor network, which renders the network susceptible to malicious attacks and botnet abuse. For instance, adversaries often exploit exit relay nodes utilizing them as stepping stones for various forms of malicious attacks, forcing service providers to use CAPTCHAs to exit relay nodes’ IP addresses or even blacklist them all, which results in major usability problems for honest Tor users.

To mitigate this problem, a group of researchers recently proposed “TorPolice“; the first ever framework for preservation of privacy access control for Tor. TorPolice works via enabling abuse plagued service providers, e.g. Yelp, to implement access rules to police and suppress malicious requests conveyed via the Tor network, while still offering network services to honest Tor users. Even more so, TorPolice endows Tor with universal access control for relay nodes; thus, maximizing Tor’s immunity against botnet attacks. The developers of the framework tested a prototype of TorPolice which proved that it can greatly improve the privacy of users of the Tor network.

The Design Goals of TorPolice:

TorPolice acts via adding access control to the anonymous connections taking place over the Tor network, which is beneficial to both service providers, as well as the Tor network itself. Apart from previously proposed capability based frameworks, TorPolice’s structure is designed to mitigate three challenges;

1. Preservation of the anonymity of Tor’s users.
2. Prevention of creation of central control points.
3. Creation of an incrementally implementable framework.

Service defined access policies: Almost 70% of all exit relay nodes across the Tor network are listed as comment spammers by Project Honey Pot, which caused a large number of service providers and content delivery networks (CDNs) to filter and block network traffic emerging from Tor. To alleviate this tension between service providers and Tor users, TorPolice is designed to enable service providers to outline and enforce special access rules for all forms of Tor connections, enabling them to prevent Tor emitted malicious attacks, while still offering the services to honest Tor users. As such, TorPolice is a resilient framework that enables service providers to outline their special access policies.

Prevention of botnet attacks over Tor: As the Tor network represents a form of a service provider by itself, it is vulnerable to botnet attacks; which rely on command and control (CC) servers that are hosted in the form of onion anonymous services, as well as DDoS attacks that target selected relay nodes. TorPolice’s framework makes it possible for the Tor network to control how Tor’s clients use the network, rendering it possible to shield the network against the abuse. Apart from the local limiting rate of each relay node, the access control algorithm provided by TorPolice is global, i.e. an adversary cannot bypass the framework’s defenses via connecting to all relay nodes.

Preservation of the privacy of Tor users:

TorPolice doesn’t undermine the anonymity guarantees of Tor. Even though TorPolice adds a new functionality layer; access control, this layer unlinks the activity of a Tor user from his/her identity; thus, preserving the online anonymity of Tor users.

Fully decentralized and partially trusted authorities:

In compliance with Tor’s design goal of decentralized trust, TorPolice depends on a group of fully decentralized, yet partially trusted access authorities (AAs), to oversee various capabilities. An access authority (AA) is managed by either the Tor project, or a trusted intermediary (third party). Even though Tor users can select any AA to access various capabilities, no single AA possesses a universal view on all Tor users. Even more, each one of the available AAs is just partially trusted and once an AA acts with dishonesty or becomes compromised, the service provider will blacklist it.

Incrementally implementable:

TorPolice is incrementally implementable. Up-to-date Tor users, relay nodes and service providers will benefit immediately from a partial implementation of TorPolice. On the other hand, outdated entities will continue on executing their operations.

Elided goals of TorPolice’s design:

Several forms of attacks act to disrupt Tor’s unlinkability. For example, an AS level adversary can de-anonymize the online activities of a Tor user, provided that the adversary can monitor the network’s egress and ingress traffic. TorPolice is not formulated to mitigate such forms of unlinkability attacks. Instead, it just preserves the unlinkability guarantees which are provided by the Tor network.

According to the evaluation performed by the creators of TorPolice of their prototype, they proved that TorPolice can mitigate CC abuse on a large scale, and also minimize cell flooding attacks targeting the Tor network.