Identifying and characterizing Sybils in the Tor network
This work addresses the vulnerability of the Tor network to Sybil attacks, providing practical tools and insights to improve safety for users, though it is incremental in applying detection methods to this specific domain.
The paper tackled the problem of Sybil attacks in the Tor network by developing sybilhunter, a system that detected Sybil relays based on configuration and behavior, analyzing nine years of data to reveal diverse attackers including botnets and Bitcoin hijackers.
Being a volunteer-run, distributed anonymity network, Tor is vulnerable to Sybil attacks. Little is known about real-world Sybils in the Tor network, and we lack practical tools and methods to expose Sybil attacks. In this work, we develop sybilhunter, the first system for detecting Sybil relays based on their appearance, such as configuration; and behavior, such as uptime sequences. We used sybilhunter's diverse analysis techniques to analyze nine years of archived Tor network data, providing us with new insights into the operation of real-world attackers. Our findings include diverse Sybils, ranging from botnets, to academic research, and relays that hijack Bitcoin transactions. Our work shows that existing Sybil defenses do not apply to Tor, it delivers insights into real-world attacks, and provides practical tools to uncover and characterize Sybils, making the network safer for its users.