What Is TorPolice?

The Tor network is the most popular anonymity network, currently used by millions of people worldwide. However, there is no access control for Tor users, which makes the network vulnerable to malicious attacks and botnet abuse. For example, attackers often use relay nodes as stepping stones for various types of attacks, forcing service providers to use CAPTCHAs for Tor exit IP addresses. This leads to serious usability issues for honest Tor users.

To address this problem, a group of researchers recently proposed “TorPolice,” a new platform designed to enforce access control policies within the Tor network. TorPolice gives Tor a universal access control mechanism for relay nodes, maximizing the network’s immunity to botnet attacks. The developers tested a TorPolice prototype, which demonstrated significant improvements in user privacy for the Tor network.

Goals of TorPolice

TorPolice works by adding access control to anonymous connections within the Tor network, benefiting both service providers and the Tor network itself. Unlike previous capability-based frameworks, TorPolice is designed to address three main issues:

1. Preserving the anonymity of Tor users.
2. Preventing the creation of central control points.
3. Creating a framework that can be implemented gradually.

Service-Defined Access Policies

Nearly 70% of all Tor relay nodes are listed as spammers by Project Honey Pot, causing many service providers and content delivery networks (CDNs) to filter or block traffic coming from Tor. TorPolice is designed to let service providers define and enforce custom access rules for all types of Tor connections. This helps prevent blocking Tor due to malicious attacks, while still allowing honest users to access services. In this way, TorPolice provides a robust framework for service providers to set their own access policies.

Is Preventing Botnet Attacks via Tor Possible?

Since Tor acts as a platform provider, it is vulnerable to botnet attacks that rely on command and control (C&C) servers hosted as Tor hidden services, as well as DDoS attacks targeting specific relay nodes. TorPolice allows the Tor network to control how clients use the network, helping to protect it from abuse. In addition to the local bandwidth limits of each relay node, TorPolice’s access control algorithm is global, meaning an attacker cannot bypass the infrastructure’s protection by connecting to all relay nodes.

Preserving Tor User Privacy

TorPolice does not undermine Tor’s anonymity guarantees. While it adds a new layer of functionality—access control—this layer separates user activity from their identity, thus maintaining the online anonymity of Tor users.

Fully Decentralized and Partially Trusted Authorities

In line with Tor’s design goals, TorPolice relies on a group of fully decentralized but partially trusted Access Authorities (AAs) to oversee various capabilities. Access management (AAs) is handled either by the Tor Project or a trusted third-party intermediary. Tor users can choose any AA to access different capabilities, but no single AA has a complete view of all Tor users. Furthermore, each available AA is only partially trusted, and if an AA acts dishonestly or is compromised, service providers can simply ignore it.

Gradual Implementation

TorPolice is implemented in stages. Current Tor users, relay nodes, and service providers can immediately benefit from partial deployment of TorPolice, while legacy systems can continue to operate as before.

What TorPolice Achieves

Several types of attacks threaten the security of Tor. For example, an adversary could de-anonymize Tor user activity if they control both the entry and exit traffic. TorPolice is not designed to mitigate such end-to-end correlation attacks. Instead, it maintains the unlinkability guarantees provided by the Tor network.

According to the TorPolice developers, their prototype has shown that it can significantly reduce botnet abuse of the Tor network and minimize attacks targeting Tor.