How vulnerable is the Tor Network to BGP Hijacking Attacks?

How resilient are the BGP prefixes containing Tor relays and what properties do we consider?

BGP Prefix Length

RPKI Validity State (ROAs)

Figure 1: NIST RPKI Monitor (
Figure 2: RIPE NCC’s RPKI Stats shows that the number of distinct ASNs deploying ROAs is steadily growing (in the RIPE region) (

ROA maxlength attribute

RIPE IRR coverage (in-region only)


Figure 3
Figure 4
Figure 5: What fraction of Tor capacity has which RPKI state?

RIPE IRR Coverage (in-region only)

Figure 6: 77% of the Tor network capacity has a valid route object in RIPE IRR and is in the RIPE managed IP space.

IPv6 Prefixes

Figure 7
Figure 8

Who are the biggest RPKI ROA adopters on the Tor network?

| as_name | CWfr | relays |
| Hetzner Online GmbH | 7.02 | 284 |
| Online S.a.s. | 5.16 | 113 |
| myLoc managed IT AG | 2.02 | 41 |
| netcup GmbH | 1.73 | 50 |
| NForce Entertainment B.V. | 1.50 | 25 |
| Voxility S.R.L. | 1.06 | 14 |
| SOFTplus Entwicklungen GmbH | 0.81 | 15 |
| ISPpro Internet KG | 0.62 | 21 |
| I.C.S. Trabia-Network S.R.L. | 0.61 | 45 |
| SWITCH | 0.48 | 9 |
| Telenor Norge AS | 0.39 | 28 |
| Joshua Peter McQuistan | 0.37 | 5 |
| 1&1 Internet SE | 0.34 | 8 |
| Brass Horn Communications | 0.33 | 6 |
| True B.V. | 0.30 | 1 |
| Deutsche Telekom AG | 0.29 | 152 |

Who are the biggest Tor related network operators not adopting ROAs (completely)?

| as_name | CWfr | relays |
| OVH SAS | 13.04 | 530 |
| Online S.a.s. | 8.42 | 231 |
| Joshua Peter McQuistan | 2.83 | 27 |
| Hetzner Online GmbH | 2.67 | 72 |
| DigitalOcean, LLC | 1.80 | 274 |
| FranTech Solutions | 1.41 | 35 |

Recommendations for Tor Relay Operators

“Virtual” Route Origin Validation in the Tor Context

  1. It will eventually break the “the Tor network is a full mesh” assumption. Relays in such RPKI ‘invalid’ prefixes with no alternative valid route will not be reachable from ASes performing ROV, but the Tor network assumes that every relay can reach every other relay. When ROV breaks that assumption it is better to exclude these relays than to keep only partially reachable relays.
  2. An RPKI ‘Invalid’ route might as well be an actual BGP hijacking attempt and why not stop that?

The unsolved problem: AS Path Verification

Key Take Aways

  • ROA adoption in the context of Tor is higher than on the general internet due to some big hosters (used by many relays) having adopted RPKI
  • ROA adoption could further be significantly increase even if a very limited number of entities enable them (due to of the centralization around big ISPs like OVH)
  • legacy IP blocks are apparently the reason for a significant portion (>10%) of the Tor network not having ROAs yet
  • RIPE’s IRR (limited to RIPE managed space) covers most of the Tor network’s capacity (77%)
  • More than 84% of the Tor capacity uses RIPE managed IP space
  • Hijacking exit capacity is probably harder than hijacking guard capacity (due to the increased use of /24 prefixes for exits)
  • ROA adoption is higher for IPv6 than for IPv4 while IPv6 has less (none) RPKI ‘Invalid’ routes
  • a significant portion of ROAs has a weak maxlength attribute (this confirms what others have reported as well)
  • ROV could be performed by Tor directory authorities to cover all relays (by rejecting/flagging them) even if global ROV deployment rate is very low
  • most of the Tor network capacity is not covered by RPKI ROAs and is not located in /24 prefixes

Future Work: BGP Monitoring for Tor Prefixes


  • Tor Project’s onionoo from 2018–08–09 21:00 UTC for relay IP addresses, cw fraction, guard probability and exit probability data
  • RIPEstat for BGP prefix, ASN and IRR data. (We stumbled on a bug in RIPEstat’s IRR related part that might has a minor impact on the graph in figure 6 but we believe it to affect only a non-significant portion <1% cw fraction)
  • RPKI Validator v2.24 (local instance with ARIN’s TAL enabled)
  • RIPE IP Space to filter IRR entries to RIPE in-region items only
  • CAIDA AS Rank API (2018–07–01)


References to RIR documentation for creating/managing ROAs




Tor, Routing Security and DNS Privacy related Topics.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Сканворды Мегамозг Hack Free Resources Generator

{UPDATE} Kruiswoord Piet Hack Free Resources Generator

{UPDATE} Ice Cream Master: Icy Desserts Hack Free Resources Generator

Get a smart contract audit @0xGuard

Remotely Dumping Chrome Cookies…Revisited

Spherity is Partnering with Legisym Offering Joint Compliance Product for the U.S.

{UPDATE} Line Color 3D Hack Free Resources Generator

Opening the Trunk of Pandora’s Autonomous Vehicle

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Tor, Routing Security and DNS Privacy related Topics.

More from Medium

SWIFT Testing Decentralized Technologies to Allow CBDC Interconnection

Vulnhub Walkthrough — DC-1

SENTRY Series: How to compare the best GameFi projects — Part II

Transfer Limitation Obligation: What every organization should know — Privacy Ninja