TorPolice: Towards Enforcing Service-Defined Access Policies in Anonymous Systems

TL;DR

TorPolice introduces a privacy-preserving access control framework for Tor, enabling service providers to mitigate abuse and malicious requests while maintaining user anonymity and service quality.

Contribution

It is the first framework to enforce service-defined access policies in Tor without compromising user privacy.

Findings

TorPolice effectively reduces malicious requests from Tor relays.

The framework preserves user privacy while enabling access control.

Prototype implementation demonstrates practical feasibility.

Abstract

Tor is the most widely used anonymity network, currently serving millions of users each day. However, there is no access control in place for all these users, leaving the network vulnerable to botnet abuse and attacks. For example, criminals frequently use exit relays as stepping stones for attacks, causing service providers to serve CAPTCHAs to exit relay IP addresses or blacklisting them altogether, which leads to severe usability issues for legitimate Tor users. To address this problem, we propose TorPolice, the first privacy-preserving access control framework for Tor. TorPolice enables abuse-plagued service providers such as Yelp to enforce access rules to police and throttle malicious requests coming from Tor while still providing service to legitimate Tor users. Further, TorPolice equips Tor with global access control for relays, enhancing Tor's resilience to botnet abuse. We show that TorPolice preserves the privacy of Tor users, implement a prototype of TorPolice, and perform extensive evaluations to validate our design goals.