How vulnerable is the Tor Network to BGP Hijacking Attacks?

How resilient are the BGP prefixes containing Tor relays and what properties do we consider?

BGP Prefix Length

RPKI Validity State (ROAs)

Figure 1: NIST RPKI Monitor (https://rpki-monitor.antd.nist.gov)
Figure 2: RIPE NCC’s RPKI Stats shows that the number of distinct ASNs deploying ROAs is steadily growing (in the RIPE region) (https://certification-stats.ripe.net/)

ROA maxlength attribute

RIPE IRR coverage (in-region only)

Results

Figure 3
Figure 4
Figure 5: What fraction of Tor capacity has which RPKI state?

RIPE IRR Coverage (in-region only)

Figure 6: 77% of the Tor network capacity has a valid route object in RIPE IRR and is in the RIPE managed IP space.

IPv6 Prefixes

Figure 7
Figure 8

Who are the biggest RPKI ROA adopters on the Tor network?

+------------------------------+------+--------+
| as_name | CWfr | relays |
+------------------------------+------+--------+
| Hetzner Online GmbH | 7.02 | 284 |
| Online S.a.s. | 5.16 | 113 |
| myLoc managed IT AG | 2.02 | 41 |
| netcup GmbH | 1.73 | 50 |
| NForce Entertainment B.V. | 1.50 | 25 |
| Voxility S.R.L. | 1.06 | 14 |
| SOFTplus Entwicklungen GmbH | 0.81 | 15 |
| ISPpro Internet KG | 0.62 | 21 |
| I.C.S. Trabia-Network S.R.L. | 0.61 | 45 |
| SWITCH | 0.48 | 9 |
| Telenor Norge AS | 0.39 | 28 |
| Joshua Peter McQuistan | 0.37 | 5 |
| 1&1 Internet SE | 0.34 | 8 |
| Brass Horn Communications | 0.33 | 6 |
| True B.V. | 0.30 | 1 |
| Deutsche Telekom AG | 0.29 | 152 |
+------------------------------+------+--------+

Who are the biggest Tor related network operators not adopting ROAs (completely)?

+------------------------+-------+--------+
| as_name | CWfr | relays |
+------------------------+-------+--------+
| OVH SAS | 13.04 | 530 |
| Online S.a.s. | 8.42 | 231 |
| Joshua Peter McQuistan | 2.83 | 27 |
| Hetzner Online GmbH | 2.67 | 72 |
| DigitalOcean, LLC | 1.80 | 274 |
| FranTech Solutions | 1.41 | 35 |
+------------------------+-------+--------+

Recommendations for Tor Relay Operators

“Virtual” Route Origin Validation in the Tor Context

  1. It will eventually break the “the Tor network is a full mesh” assumption. Relays in such RPKI ‘invalid’ prefixes with no alternative valid route will not be reachable from ASes performing ROV, but the Tor network assumes that every relay can reach every other relay. When ROV breaks that assumption it is better to exclude these relays than to keep only partially reachable relays.
  2. An RPKI ‘Invalid’ route might as well be an actual BGP hijacking attempt and why not stop that?

The unsolved problem: AS Path Verification

Key Take Aways

  • ROA adoption in the context of Tor is higher than on the general internet due to some big hosters (used by many relays) having adopted RPKI
  • ROA adoption could further be significantly increase even if a very limited number of entities enable them (due to of the centralization around big ISPs like OVH)
  • legacy IP blocks are apparently the reason for a significant portion (>10%) of the Tor network not having ROAs yet
  • RIPE’s IRR (limited to RIPE managed space) covers most of the Tor network’s capacity (77%)
  • More than 84% of the Tor capacity uses RIPE managed IP space
  • Hijacking exit capacity is probably harder than hijacking guard capacity (due to the increased use of /24 prefixes for exits)
  • ROA adoption is higher for IPv6 than for IPv4 while IPv6 has less (none) RPKI ‘Invalid’ routes
  • a significant portion of ROAs has a weak maxlength attribute (this confirms what others have reported as well)
  • ROV could be performed by Tor directory authorities to cover all relays (by rejecting/flagging them) even if global ROV deployment rate is very low
  • most of the Tor network capacity is not covered by RPKI ROAs and is not located in /24 prefixes

Future Work: BGP Monitoring for Tor Prefixes

Acknowledgements

  • Tor Project’s onionoo from 2018–08–09 21:00 UTC for relay IP addresses, cw fraction, guard probability and exit probability data
  • RIPEstat for BGP prefix, ASN and IRR data. (We stumbled on a bug in RIPEstat’s IRR related part that might has a minor impact on the graph in figure 6 but we believe it to affect only a non-significant portion <1% cw fraction)
  • RPKI Validator v2.24 (local instance with ARIN’s TAL enabled)
  • RIPE IP Space to filter IRR entries to RIPE in-region items only
  • CAIDA AS Rank API (2018–07–01)

Appendix

References to RIR documentation for creating/managing ROAs

--

--

--

Tor, Routing Security and DNS Privacy related Topics. https://nusenu.github.io

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The Bots Are Coming!

{UPDATE} Icycle: On Thin Ice Hack Free Resources Generator

Hackers Increasingly Exploiting Flash Loans To Attack DeFi Protocols, New Report Says

What is a VPN Concentrator & How To Use It [Detailed Guide]

What is Log4j vulnerability and how to mitigate it?

The UX of cybersecurity: What can you do to better understand your personas?

{UPDATE} Newborn Chick Baby Nurse Hack Free Resources Generator

{UPDATE} Anagrams Pro English Edition Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
nusenu

nusenu

Tor, Routing Security and DNS Privacy related Topics. https://nusenu.github.io

More from Medium

The benefits and challenges of the IoT

EAT SMART TEE

Check-lists everywhere (1