How I select Tor guard nodes under global surveillance

I’m trying to protect my privacy on the Net, and for years I have been using and advocating (in German) the anonymization tools JonDonym and Tor towards that end. Before you continue reading, please be warned that I’m an anonymization hobbyist. There are ongoing discussions on the tor-talk mailing list concerning network diversity and the protection Tor may or may not be able to provide in view of global surveillance. Maybe I’m missing something fundamental in the following. Let’s see.

Basically, with anonymization tools such as Tor my communication is encrypted and re-routed over several middleman (so-called Tor nodes or JonDo mixes) before the final middleman performs the communication with the real target (say, or on my behalf; responses flow back through those middlemen in reverse order, again encrypted. Thus, my ISP cannot learn any longer, what I’m doing on the Net. Similarly, the real targets do not see who is really visiting them (they see a middleman). This scheme is assumed to be secure as long as no party can observe both ends of the communication, namely the encrypted communication between me and the first middleman as well as the communication between the final middleman and the real target. If someone can do so, they may be able to correlate the traffic at both ends, identifying me as the real source communicating with the real target. (According to this calculation they’ll have a hard job, though, thanks to the Base Rate Fallacy.)

Now, if I, as a German, choose the first middleman in the US, I’m almost certain that my end of the communication will be observed by NSA and GCHQ, thanks to PRISM, Tempora, and whatnot. In fact, if I choose the first middleman anywhere but in Germany I can be pretty sure that some foreign intelligence agency will monitor and maybe store my network traffic. Whether one of those parties will also see the other end of the communication depends on the locations of the final middleman and the target, as well as the degree of those parties’ collusion.

I’m operating under the assumption that if my human rights, dignity, and privacy are still worth anything at all, then this is the case in my own country, where those values are protected by the constitution, at least on paper. In my view, this protection on paper is worth something, if only a fight. In every other country, I appear to be literally outlawed, fair game for foreign intelligence.

For now, I’m changing my choice of anonymization middlemen. I’d like to make sure that my first middleman is located in Germany. Thus, to spy on my communication with the first middleman in Germany, someone needs to conduct illegal wiretapping in Germany and violate my constitutionally granted rights (which is currently happening; that situation could change, which reminds me that elections are coming up). I see no reason at all to re-route that communication without need into hostile territory where I’m outlawed.

When using Tor or JonDonym without special precautions, though, data will most likely be routed away from Germany into hostile territory, even if my communication is local to Germany (say, I’m fetching e-mail from a German e-mail provider). Thus, my attempt to protect my privacy via anonymization may very well show the adverse effect of delivering my data to foreign spies (which might not see a single bit of the communication without anonymization).

To avoid such situations, I generated and analyzed traceroute data to Tor nodes, looking for potentially hostile places. Essentially, traceroute is a networking tool to enumerate some of the routers that forward my data along its way through the Internet. For the purposes of this analysis, I’m trying to avoid routers where some data source tells me that (a) the router does not appear to be located in Germany or that (b) the router appears to be located in an Internet eXchange Point (IXP). (IXPs receive lots of network traffic from all over the world, which makes them very attractive for and worthy of wiretapping by intelligence agencies.)

I’m using the following sources to obtain country and IXP information:

  1. Internet eXchange Point data from based on the paper: Brice Augustin, Balachander Krishnamurthy, Walter Willinger, “IXPs: Mapped?”, Internet Measurement Conference, November 2009.
  2. Team Cymrus’s whois service. This provides Autonomy System information, IP prefixes, and country information.
  3. Optionally, the python modules pygeoip and TorCtl (both of which make use of MaxMind’s geolocation database).

Beware: The IXP data was collected in 2009, so don’t expect it to be accurate any longer. I added missing German IXPs from Other countries probably need similar updates. In addition, geolocation data is never entirely accurate, and traceroute only shows a subset of the machines that see your Internet communication. Thus, analysis results will likely contain false positives and false negatives.

I wrote Python code to select my Tor guards based on the above data. (With Tor, the first middleman is chosen from a set of nodes, which are called guards, and Tor configuration options allow to explicitly restrict those guards.) I’m hoping that my communication with those selected guards does not pass wiretapped territory. If this hope is justified, my end of the communication will be invisible to spies, giving me anonymity. Which everyone should have.

Of course, I’m only hoping that systematic wiretapping is restricted to IXPs in my country (and does not happen everywhere), and I’m only hoping that my communication is not forwarded to additional places, which are invisible to traceroute. If this was not the case, I can be sure, though, that someone conducts illegal wiretapping in Germany and violates my constitutionally granted rights. Thus, there is hope to fight such illegal conduct. As it should be.

Here is a summary of what I found. I started out with a list of 826 Tor nodes located in DE, generated on 2013/07/15 at Out of these, 232 are named guards, and 78 are named exits. I analyzed traceroute data both at work and at home.

At work:

Only a small number of 25 guards are safe in the sense their paths appear to flow neither through IXPs nor through foreign places. DE-CIX alone is traversed to reach 179 guards. However, 4 guards are located in my own Autonomous System (AS). It seems very attractive to use only those (instead of all 25 candidates). What do you think?

I’d like to point out that during this week I observed route changes. Sometimes, less routes go through DE-CIX, so that up to 39 guards appear to be safe. Thus, repeated tests are a must.

For Tor exits, traceroute data between me and the exit is less useful. Traceroutes between the exits and my communication partners would allow to identify IXPs along that way. I’m not in the position to obtain that data. Nevertheless, if I want to anonymize communication that should be local to my country, I’m restricting the exits to those that do not show foreign hops. I found 58 of those.

At home:

Many guards (126) appear to be safe, only one is located in my own AS.

I’d like to share two sample unsafe routes to Tor guards raspitor2 and YanLunYiZou, where IP addresses of intermediate hops and targets with their estimated locations are shown:

raspitor2 (;DE →;DE →;DE →;NL (via IXP AMS-IX) →;GB →;GB →;GB →;DE →;DE → raspitor2 (;DE (via IXP AMS-IX)

YanLunYiZou (;DE →;DE →;DE →;ES →;ES →;GB →;US →;US →;US →;US →;US →;US →;US →;US →;GB →;DE → YanLunYiZou (;DE

Those are examples of so-called boomerang routes, where source and target appear to be located in the same country, yet traffic does impressive sightseeing and receives lots of unwanted attention. Consequently, I’d like to warn against the Tor options to restrict nodes based on country codes.

Finally, at home I found 63 Tor exits that appear to be non-foreign. The intersection between work and home contains the following 53 routers, which may be useful for German Tor users:

0x3d002, 5268A6ED09875EA2F5, AbelianGrape, Atorisinthesky, BZHack, Biverse, DaJoker, Datenmuehle, FoeBuD3, HarryTuttle, KOP1, KiwibirdSuperstar, LookAnotherExit, MagmaSoft, Musashi, NeefEef2, Piper, Resistance, TommysTorServer, Tor4Freedom, Torboinaz, TuringComplete, arbitrary, armselig, brotherjacob, cce12eb07e2d92a7, chee, devilproxytor, eisler, felixker, filiprem, ftcalip, germangang, hamradioboard, hanfisTorRelay, hellinterface, honk, jabla, landfox, memyselfandi, neonustor, ppbytor1, randomserver, riqochet, rollmops, skyplace, smurfix, spdytor1, superblyhidden, supercow12k, th0rnsrelay, tor3aendych, zapit02

My analysis code is available under the GNU GPLv3+:

The tarball’s README.txt lists necessary prerequisites and explains how you can identify your own guards.

Comments are closed.