How to block Tor’s hidden bridges: detecting methods and countermeasures

Tor network has been widely used for protecting the privacy of users while accessing various online services. Since Tor can be easily blocked by blacklisting the publicly published Tor relays, the hidden bridges-based blocking-resistance mechanism is designed and implemented in the current Tor network. Any user can subscribe a tuple of three bridges via email, https, twitter etc. However, we have found that there exist high correlations among those published tuples, which can be exploited to effectively detect hidden bridges by monitoring the outbound traffic from a controlled network. When Tor clients try to connect chosen hidden bridges, multiple SYN packets with consecutive source ports will be sent almost simultaneously, destining for different hosts. If any destination IP contained among such packets belongs to a known bridge, all others can then be inferred to be of bridges too. By recording and analyzing a series of traffic segments satisfying the above packet features, the hidden bridges used in a controlled network can be detected and further blocked. According to different available computing and storage resources, we proposed both online and offline detecting methods. Both analytical and simulation results verify the high correlation among published bridge tuples, validating the feasibility of our methods. By configuring optimized detecting parameters in the real-world experiments, we can achieve a detection rate of 86.7 % with a 0.85 % false-positive rate for online detection, and a 98.4 % detection rate with a 0.62 % false-positive rate for offline detection. To make up the flaws in Tor’s current blocking-resistance mechanism, we also provide some countermeasures from the perspective of Tor network and users, respectively.