Tor The Onion Router, the onion router's main purpose is to prevent flow through the filter and Sniffer to spy on the user of the communication Privacy, the majority of the Chinese people familiar with it not because it's encrypted, but because it is a multi-layer node could span the Great Wall of China. Its basic principle is that Tor users in the local erection of a onion proxy server, this server on a regular basis, and other Tor users communicate to form a topology of the loop circuit it. Tor the user of information to be transmitted in the application layer encryption, each of the routing between the through point-to-point symmetric encryption communication, each of the routing equivalent of the onion a layer of skin, so that the multi-layer topology is equivalent to the client warm wrapped in the onion heart, which is Tor the protection of sources of information. Information sent from the client, through the network of randomization to find the path through a layer of a layer of the encryption Agent node, from the egress node to the plaintext of the way, so the destination node that it can see the plaintext message from the exit node issue is not to know the source of the message the client location. If you know the Tor part of the node IP, the attacker can reverse lookup the entire information stream to thereby identify the client's source, so for each Tor proxy server to say, Do not tell the outside world Your IP address. ! A quote from the wikipedia link It is worth noting that attacks Tor anonymity service main goal is not to obtain the transmission of information but rather to find out which node is a Tor middle node, which users use Tor, what Tor services, etc., because the exit node out of the information are in clear text as long as the catch the exit node can obtain the transmitted information, such as the year of wikileaks leaking the documents, in part, from the exit node to obtain. 0x01 life's experience: methods of attack theory summary Tor is a complex system complex systems complexity leads to design it on there are many can be attacking the essence of the feature, its implementation and server configuration also not perfect, it at the same time there are some“pig teammates”the problem of attack available to use. These aspects are attacks Tor anonymity and privacy of the routines to attack point. Based on the Tor itself, the information characteristic of the attack is basically using a tor symmetric encryption as well as the complexity of the network, the General method is listening to the network data model, because the link is through a multi-layer node is encrypted, so Tor in determining the link of time, as well as network data in some special mode and the ordinary data transmission network different, by listening to the network node of the data transmission mode may be substantially the guesswork out of this Node is a Tor node. The spread of information because the have their own fixed characteristic, such as keystroke frequency mode, these features from the Tor source is transmitted to the object when causing the encrypted traffic will therefore contain some of the can be identified the feature, if the attackers design some special experiments, the dissemination of information of the sequence can be used to detect Tor nodes position. Most attacks Tor anonymity of the research work focused in this direction, including above the MIT of this article by giving the nodes of the loop do the fingerprint approach is also such method. These methods are generally very ingenious construction method, there are many large research institutions, including some state agencies are in Active study in this direction. Based on the attack the Tor implementation / configuration and other“pig teammates”method is not common in major research institutions of scientific research project, but it and social engineering in the hacking status like in all particular cases may become the Tang door hidden weapon trick. （Western style point called the Achilles' heel is. Attack Tor-implemented method generally is to deceive, such as provided by the attacker-controlled Tor nodes attract other Tor nodes to links. Attack the Tor implementation and server configuration approach more is that, if a tor server is not a reasonable configuration, it's the tor with the service may be compromised resulting in the tor service address leakage. For example, say there is a“pig teammates”is that a Tor proxy server node is also for other services of the node, such as the above ran a web App even if it is one of the world's best language is PHP written web App, but the PHP version is very low there are a number of vulnerabilities, the attacker can be through web services vulnerabilities into the system, as long as the attacker to get a shell you can scan the entire machine to see if there's a running Tor you can determine. More popular recently pigs mate is bitcoin bitcoin, there is related research the use of bitcoin transactions can detect Tor network some of the node's IP address, you can here further reading: the article addresses where these methods will not repeat them here. 0x02 asked me to support not supported: the Great Wall of some of the work Tor can be used in across the Great Wall, because Tor will automatically monitor the relevant Agent node is reachable, if it is unreachable it automatically replace the node until you can connect to beyond the wall, so the wall rather nasty Tor is understandable. More Great Wall of hate, because ultimately the destination server only sees the Tor exit node, so an overseas server can use Tor to disguise yourself to be the territory of China server to provide reverse across the Great Wall of service. The Great Wall of the study the main purpose is not to want to find information of the source, its main purpose is to ban Tor proxy node and blocking the connection, so that can be killed across the wall of the user. The Great Wall of the work there is no specific literature reference, but from some observations on the Great Wall of the basic method is: Blocking some known IP nodes and bridge nodes: the wall will block part of the known nodes and the rest of the monitoring. The purpose of monitoring may be to collect data transmission between nodes, can be used as a machine learning when the information flow for feature extraction. Provided by the wall control the Tor node to attract other Tor nodes to be linked and blocked. For non-SSL encrypted Tor node collects the information flow for feature analysis: the Great Wall can be identified out some of the Tor information flow characteristics, and through machine learning + the artificial rules of method to determine whether the node is a Tor. If it is, it resets the link and blocked. The Great Wall the advantage is that you can see what others do not see the real traffic data, which determines their methods is through real traffic inside the collection characteristics and the positive and negative examples for machine learning analysis, the Tor of a variety of encryption and changes in the network structure, the Great Wall can be observed. The Great Wall can also do a lot of passive data collection, to ensure that they Tor the attack keep a low profile. Based on the Great Wall of China the purpose of the work is that the blocking links instead of looking for information sources, it destroyed almost only a fraction of the Tor nodes, and new nodes constantly generate itself on the Tor network of privacy and anonymity and will not cause great harm. As far as it did go deeper and further work, due to the lack of references we are temporarily not known, but this period of a purely academic discussion I can't even figure are not afraid to with. 0x03 you are familiar with the West that set To American imperialism led the research on Tor more in-depth study, the main purpose is to break the Tor privacy and anonymity, common in University and research papers, as well as the US National Security Agency（NSA）some of the disclosed and non-disclosed, but accidentally leaked presentation. 0x04 MIT work The article mentioned at the beginning of the MIT work the main method is for an information flow in the Tor where the transmission circuit to do the fingerprint feature, and its direct goal is not looking for a Tor node or user to find information, but the first network determines whether there is a Tor hidden service, when the attacker to determine the network presence of Tor hidden services, you can design a web page fingerprint to attack the Tor nodes client or server of a location on the web page fingerprint of in-depth reading you can refer to Cai et al “Touching from a Distance: Website Fingerprinting Attacks and Defenses”, the basic method is the attack in Tor network yourself to set up a client to access a web site, to track The information flow, the passing of node number of features such as packet size, interval sequences, etc., and then use a machine learning approach build a classifier to. It is determined that the network whether there is a Tor hidden service method is relatively simple, is the establishment of an attacker controlled a Tor node friendly reminder, the attacker set up a Tor node to intercept the information there is nothing available, because point-to-point between symmetrical encryption, when another Tor node and the user links in, after a period of time information mutual transmission, the attacker can count the amount of data transmission and send the received number of packets, as well as the build loop of the sequence, by running a simple machine learning model, the attacker can predict the flights send a message to the user using the Tor service such as OpenWeb. This method is powerful in that it is passively collect data instead of actively sending data packets, that is, in the final exposing Tor node information before the attacker can completely not to be found.