Cells Breaks the Tor's Anonymity: Onion Router



Abstract - To cover the communication of users, the anonymity systems load up the application form data into identical - sized skin cells. The size of IP packets in the Tor network can be very strong and the IP coating may be repack skin cells. A fresh cell-counting harm against Tor allows the attacker to confirm anonymous communication relationship among users rapidly. By varying the amount of cells in the target traffic at the harmful leave onion router, the attacker can embed a secrete sign into variance of cell counter of the mark traffic and it'll be carried and arrive at the destructive entry onion router. Then an accomplice of the attacker will identify the signal predicated on received cells and validate the communication among the users. There are many top features of this invasion. First, it is highly efficient and confirms very short communication treatment with only tens of skin cells. Second, this invasion is effective and detection rate approaches 100% with a very low bogus positive rate. Third, you'll be able to implement the assault in a manner that appears to be very hard for honest individuals to detect.

Keywords - Anonymity, cell counting, mix networks, indication, Tor.


Anonymity has become a necessary and legitimate purpose in many applications. Here the encryption together cannot maintain the anonymity required by users. Generally speaking, blend techniques can be utilized for either message-based or flow-based anonymity applications. Research on flow-based anonymity applications has received great attention to be able to protect anonymity in low-latency applications, including Web surfing around and peer-to-peer record sharing.

To degrade the anonymity service provided by private communication systems, traffic research problems have been used. THE PREVAILING traffic analysis episodes can be classified into two types: passive traffic examination and energetic watermarking techniques. The lively watermarking technique has recently received much focus on improve the reliability of episode. In this technique is to actively introduce special indicators in to the sender's outbound traffic with the motive of spotting the embedded transmission at the receiver's inbound traffic.

The center contribution of the newspaper is a fresh cell counting founded harm against Tor network. This harm confirms anonymous communication relationship among users accurately and quickly which is difficult to discover.

The attacker at the exit onion router picks up the data sent to a vacation spot and then decides if the data is relay cell or control cell in Tor. After excluding control cells, manipulate the number of relay skin cells in the circuit queue and flushes out all cells in the circuit queue. This way the attacker can embed a signal into the variation of cell matter during a short period in the target traffic. To recuperate the embedded signal, the attacker at the entry onion router detects and excludes the control skin cells, record the amount of relay cells in the circuit queue and restore the embedded indication.

The main features of cell-counting based assault are: (1) This assault is highly efficient and can quickly confirm very brief anonymous communication classes with tens of cells. (2) It is effective and detection rate approaches 100 % with very low fake positive rate. (3) It creates problematic for others to find the occurrence of the embedded sign. The Time - hopping based mostly signal embedding technique makes the strike even harder to detect.


There are two types of cells: Control cell and Relay cell. The CELL_CREATE or CELL_CREATED used for setting up a new circuit. CELL_DESTROY used for launching a circuit. Relay cell is utilized to carry TCP stream data from customer to bob. Some of the relay commands are: RELAY_Order_BEGIN, RELAY_Demand_END, RELAY_Demand_ DATA, RELAY_Command word_SENDME, and RELAY_ COMMAND_DROP.

The Onion router (OR) retains the TLS connection to other OR. Onion proxy (OP) uses source routing and chooses several ORs from cached website directory. OP establishes circuit across the Tor network and negotiates a symmetric key with each OR, one hop at a time, as well as deal with TCP stream from customer request. The OR on other aspect of circuit connects to the requested destination and relay the data.

The OP will sets up TLS reference to OR1 using process, through this connection, OP transmits CELL_CREATE cell and uses Diffie-Hellman (DH) handshake standard protocol to negotiate a base key k1=gxy with OR1. Form this key; a forward symmetric key kf1 and backward key kb1 are produced. In this manner first hop circuit C1 is established. Similarly OP extends the circuit to second and third hop. After circuit is setup, OP delivers a RELAY_Order_BEGIN cell to the leave onion router and cell is encrypted as Beginkf3kf2kf1. While the cell traverses through circuit each time the level of onion pores and skin are removed one by one. At last the OR3 last pores and skin is removed by decryption then it open up a TCP stream to a port at the vacation spot IP, which belongs to bob. The OR3 creates a TCP reference to bob and sends a RELAY_Order_CONNECTED cell back again to Alice's OP. Then your customer can download the data file.


The TCP data is received by OR from port A which is prepared by TCP and TLS protocols. Then the refined data is sent to the TLS buffer. The read event is named to learn and process the data pending in the TLS buffer. This read event will move the info from TLS buffer in to the input buffer. Then your read event process skin cells from input buffer one by one. Each OR has routing desk which retains map from source interconnection and circuit ID to destination connection and circuit ID.

The transmission way of the cell can be dependant on the read event. To append the cell to the destination circuit the equivalent symmetric key is used to decrypt / encrypt the payload of the cell, replace today's circuit ID with destination circuit ID. The cell can be written immediately for the vacation spot connection when there is no data holding out in end result buffer and the write event is put into the function queue. After dialling the write event, the info is flushed to TLS buffer of destination. Then write event yank as many skin cells as is possible from circuit to outcome buffer and add write event to event queue. Another write event carry on flushing data to end result buffer and yank cells to output buffer else the cell queued in circuit queue can be sent to network via slot B by contacting write event double.

Fig. 2Processing the skin cells at Onion router


The IP packets in Tor network is very vibrant and predicated on this the cell - keeping track of based attack executed.

  1. Dynamic IP packets over Tor : The application data will be stuffed into equal size cells (512-B). As the packets transmitted within the Tor network it is vibrant. As a result of this reason the size of packets from sender to device is random over time and many packets have mixed in sizes. The main reason because of this is the varied performance of OR cause skin cells not to be promptly refined and also if network is congested, skin cells will not provided on time, for that reason the cell will merge and non-MTU(Maximum Transmitting Unit) sized packets will arrive.
  2. Work-flow of Cell - Counting based attack:

Step 1: SELECTING THE PROSPECTIVE :- The attacker log the information at the leave OR, like the server host IP address and slot for a circuit and circuit ID and uses CELL - RELAY-DATA to transmit the info stream.

Step 2: ENCODING THE SIGNAL :- Until the write event is named the CELL - RELAY - DATA will be waited in the circuit queue. Following the write event is named then the cells are flushed into productivity buffer. Hence the attacker can manipulate the number of cells flushed to the outcome buffer all together. This way the attacker can able to embed the secret signal. To encode little bit 1, the attacker can flushes three cells from circuit queue and then for little 0, flushes one cell from circuit queue.

Step 3: RECORDING PACKETS :- Following the signal is embedded in the mark traffic it'll be transmitted to the admittance OR along with target traffic. The attacker at the entry OR will track record the received cells and related information and need to determine if the received cells are CELL - RELAY - DATA cells.

Step 4: RECOGNIZING THE EMBEDDED Transmission :- The attacker enters the period of spotting the embedded indication with the noted cells. For this used the recovery mechanisms. Once the original transmission is identified the attacker can link the communication between Alice and Bob.

There are two critical issues related to episode: (1) Encoding indicators at leave OR: Two cells are not enough to encode "1" bit. Because if the attacker uses two cells to encode tad "1" then it'll be easily distorted over network and also hard to recuperate. When the two cells reach the source buffer at the middle OR, the first cell will be drawn into circuit queue and then if the productivity buffer is bare, the first cell will be flushed involved with it. Then your second cell will be taken to the circuit queue. Since the end result buffer is not clear, the next cell continues to be in the circuit queue. Once the write event is called, the first cell will be sent to the network, while the second cell written to the outcome buffer and await the next write event. As a result, two originally combined cells will be put into two separate skin cells at the middle router. Therefore the attacker at the entry OR will observe two separate cells coming to the circuit queue. This cells will be decoded as two "0" bits, leading the attacker to a wrong detection of the sign. To cope with this matter the attacker should choose at least three cells for carrying little bit "1".

For transmitting cells, proper delay interval should be chosen: If the delay interval among the list of cells is too big, users are not able to tolerate the slow traffic and transmit the data will choose another circuit. When this problem happens the invasion will fail. And if the delay period is too small, then it will raise the chance that cells may merged at middle OR.

(2) Decoding indicators at the access OR: Distortion of transmission: Anyways the combo and division of the skin cells will happen scheduled to unstable network delay and congestion. This may cause the embedded sign to be distorted and the probability of recognizing the inlayed sign will be reduced. Because of this distortion of the sign, a recovery system can be used, that recognize the embedded indication.

The combination and division of cell can be categorized into four types: (1) Two types of the cell division for the unit of the signal and (2) Two types of the cell combo for different products of signal. To cope with these kinds of division and combo types of the skin cells the restoration algorithm can be used. If the number of cells saved in the circuit queue is smaller than the number of the original signal are recovered as either two types of cell division for the unit of the signal. Suppose the number of cells recorded in the circuit queue is bigger than the number of cells for carrying the sign; the recovered signal will be either two of the cell combination for different systems of signal. When the signals are recovered in these types with k ‰ 2, can consider that these signals are efficiently identified otherwise cannot be identified.

  1. Attack Delectability: To increase the assault invisibility can choose the time-hopping-based sign embedding strategy, which can reduce the possibility of interception and acknowledgement. The principle of this approach is, there leave arbitrary intervals between indication bits. At the leave OR, the length of time of those intervals are assorted relating to a pseudorandom control code which is known to only the attackers. To recover this sign, the attacker at the accessibility OR may use the same key control code to position the signal parts and recover the complete signal. In the event the interval between the bits is large enough, the put signal bits look sparse within the prospective traffic and it is difficult to determine whether sets of cells are induced by network dynamics or intent. Therefore the secret signal embedded in to the target traffic is no different than the noise. And when a malicious entrance node has established the communication romance, it can divide the band of cells with the addition of delay between the cells so that not even the client can observe the embedded signal. Within this paper a sign is embedded in to the aim for traffic, which signifies a secrete sequence of groups of one and three cells. With the time-hopping technique, groups of one and three skin cells are segregated by random intervals and it is hard to differentiate them from those triggered by network dynamics and because the embedded sign is very short and only recognized to attacker, can conclude that it is very difficult to distinguish traffic with inlayed signs from normal traffic based on this very brief secret sequence of cell categories.

In this newspaper, we offered a cell-counting structured invasion against Tor network. This may confirm the anonymous communication among an individual quickly and effectively and it is very hard to discover. The attacker at the exit OR manipulates the transmission of skin cells from the prospective TCP stream and embeds a magic formula signal into the cell counter deviation of the TCP stream. Then the attacker at the entrance OR identifies the embedded sign using developed restoration algorithms and links the communication romance among the list of users. In such a attack the diagnosis rate is monotonously increasing function with the delay interval and reducing function of the variance of one way transmission wait along a circuit. This attack could drastically and quickly degrade the anonymity service that Tor provides. Because of the important design of the Tor network, defending against this attack remains an extremely challenging task that we will investigate in future work.


[1] W. Yu, X. Fu, S. Graham, D. Xuan, and W. Zhao, "DSSS-based Їow marking way of unseen traceback, " in Proc. IEEE S&P, May 2007, pp. 18-32.

[2] N. B. Amir Houmansadr and N. Kiyavash, "RAINBOW: A powerful and unseen non-blind watermark for network Їows, " in Proc. 16thNDSS, Feb. 2009, pp. 1-13.

[3] V. Shmatikov and M. -H. Wang, "Timing examination in low-latency MIX networks: Attacks and defenses, " in Proc. ESORICS, 2006, pp. 18-31.

[4] V. Fusenig, E. Staab, U. Sorger, and T. Engel, "Slotted packet counting disorders on anonymity protocols, " in Proc. AISC, 2009, pp. 53-60.

[5] X. Wang, S. Chen, and S. Jajodia, "Traffic monitoring private peer-to-peer VoIP calls on the internet, " in Proc. 12th ACM CCS, Nov. 2005, pp. 81-91.

[6] K. Bauer, D. McCoy, D. Grunwald, T. Kohno, and D. Sicker, "Lowresource routing attacks against anonymous systems, " Univ. Colorado Boulder, Boulder, CO, Technical. Rep. , Aug. 2007.

[7] X. Fu, Z. Ling, J. Luo, W. Yu, W. Jia, and W. Zhao, "One cell is enough to break Tor's anonymity, " in Proc. Black Head wear DC, Feb. 2009[Online]. Available: http://www. blackhat. com/presentations/bh-dc-09/Fu/

BlackHat-DC-09-Fu-Break-Tors-Anonymity. pdf

[8] R. Dingledine, N. Mathewson, and P. Syverson, "Tor: Anonymity online, " 2008 [Online]. Available: http://tor. eff. org/index. html. en

[9] R. Dingledine and N. Mathewson, "Tor process speciЇcation, "2008 [Online]. Available: https://gitweb. torproject. org/torspec. git?a=blob_plain;hb=Mind;f=tor-spec. txt

[10] J. Reardon, "Improving Tor utilizing a TCP-over-DTLS tunnel, " Master's thesis, University or college of Waterloo, Waterloo, ON, Canada, Sep. 2008.

Also We Can Offer!

Other services that we offer

If you don’t see the necessary subject, paper type, or topic in our list of available services and examples, don’t worry! We have a number of other academic disciplines to suit the needs of anyone who visits this website looking for help.

How to ...

We made your life easier with putting together a big number of articles and guidelines on how to plan and write different types of assignments (Essay, Research Paper, Dissertation etc)