Identifying Proxy Nodes in a Tor Anonymization Circuit

We present a novel, practical, and effective mechanism that exposes the identity of Tor relays participating in a given circuit. Such an attack can be used by malicious or compromised nodes to identify the rest of the circuit, or as the first step in a follow-on trace-back attack. Our intuition is that by modulating the bandwidth of an anonymous connection (e.g. when the destination server, its router, or an entry point is under our control), we create observable fluctuations that propagate through the Tor network and the Internet to the end-user´s host. To that end, we employ LinkWidth, a novel bandwidth-estimation technique. LinkWidth enables network edge-attached entities to estimate the available bandwidth in an arbitrary Internet link without a cooperating peer host, router, or ISP. Our approach also does not require compromise of any Tor nodes. In a series of experiments against the Tor network, we show that we can accurately identify the network location of most participating Tor relays.