Anonymizing Networks


Anonymizing networks (such as Tor or I2P) provide a way to anonymize Internet communications, so as to make it hard to link communication parties (e.g., a user and the web server he/she is visiting). Those anonymizing networks often rely on a distributed overlay network and on onion routing to anonymize TCP-based applications like WEB browsing or P2P.

Our research concerns the analysis of such networks, from a security, privacy and usage perspective. Here you can find our current work on the privacy of BitTorrent users on Tor and the characterization of the Tor traffic.

De-anonymizing BitTorrent Users on Tor

In a climate of cold war between P2P users and anti-piracy groups, more and more users are moving to anonymizing networks in an attempt to hide their identity. However, when not designed to protect users information, a P2P protocol would leak information that may compromise the identity of its users.

In this work, we first present three techniques targeting BitTorrent users on top of Tor that reveal their real IP addresses. In a second step, we analyze the Tor usage by BitTorrent users and compare it to its usage outside of Tor. Finally, we depict the threat induced by this de-anonymization and show that users’ privacy violation goes beyond BitTorrent traffic and contaminates other protocols such as HTTP. In other words, using BitTorrent over Tor is not a good idea.


  • Technical report Compromising Tor Anonymity Exploiting P2P Information Leakage is available here.
  • A preliminary version has been presented at the 3rd Hot Topics in Privacy Enhancing Technologies (HotPETs 2010).

  • The poster accepted at USENIX Symposium on Network Design and Implementation (NSDI ‘10) can be found here.



Related Links


A Deep Analysis of the Tor Anonymizing Network

In 2008 McCoy et al. have already shown the importance of the BitTorrrent protocol in terms of traffic size in Tor (BitTorrent representing more than 40% of the overall observed traffic). These results revealed useful statistics about Tor usage in general. However, Tor has gained in popularity through years, and its related traffic has certainly evolved. A proof of that is the increase of encrypted BitTorrent traffic that we identified in our research.

We performed an analysis of the application usage of the Tor network through a deep packet inspection (as opposite to a simple port-based classification), and show that most of the traffic exchanged through Tor is an undesirable BitTorrent traffic. We also observed an important fraction of “unknown” traffic and present the technique we used to reveal that the vast majority of this traffic is actually an encrypted BitTorrent traffic. Our analysis shows then that the BitTorrent traffic on top of Tor accounts for much more traffic size that what it is commonly believed.

We also studied the HTTP and BitTorrent usage over Tor and compared Tor users behaviors to typical Internet users, and tried to answer the following questions:

  • What kind of webpages are typically visited through Tor?
  • What type of content are the BitTorrent users exchanging through Tor?

In addition, we study the Tor network architecture as it is being actually used, and show that many Tor users do not comply with the protocol, and rather prefer creating tunnels making Tor acting as a simple (1-hop) SOCKS proxy. We also show that it is easy to circumvent the bridges collection limits.


  • The paper Digging into Anonymous Traffic: a deep analysis of the Tor anonymizing network accepted at the International Conference in Network and System Security (NSS2010) can be found here (slides of the talk).