Disequilibrium: Tor's Exit Node Selection under the Stereoscope

Restricted freedom of speech, political persecution or surveillance of journalists are just some examples for the vital need for anonymous communication in the Internet, such as Tor. However, there is also a downside to anonymity as it can also be used to support illegal activities, e.g., the (i) purchase of illicit goods, (ii) procurement of plans to build bombs or (iii) coordination of terrorist activities. Therefore, governmental actors such as intelligence services as well as non-governmental actors actually have comprehensible reasons in being able to break anonymity. Following these considerations, this paper is dedicated to analyse the anonymity Tor really can provide, considering monitoring and surveillance capabilities of intelligence services. Based on the assumption that the internal Tor network and the algorithms used therein provide an adequate protection even for highly advanced intelligence services, this work presents the results of a long-term analysis of the selection of the exit nodes. To this end, we have conducted an analysis over a period of one and a half years in which we have treated the Tor network mainly as a black box, focusing our evaluation on the analysis of the characteristics of the exit nodes. In practice, a significant deviation between the actual exit node selection, which takes especially the bandwidths into consideration, and the theoretical optimum "node usage distribution" can be observed, which in turn plays into the hands of intelligence services and facilitates the breaking of anonymity. Our evaluation highlights the endangerment of traffic analysis attacks by capable actors.