How effective are Tor’s current path-selection algorithms against multi‑AS colluding adversaries in live network measurements?

1. The measurement reality: non‑trivial compromise rates in live experiments

Live and empirical analyses report measurable vulnerability: one study found a substantial fraction of circuits susceptible to AS‑level correlation and higher exposure when ASes collude or when state‑level adversaries are considered, with attacks against colluding ASes notably increasing compromise percentages compared with single‑AS models (e.g., figures cited include single‑AS, colluding AS, and state‑level cases in prior live measurements) ^[1]. These live‑network measurements track real routing paths and show that even well‑established path selection produces circuits that place the same adversarial AS on both ends often enough to matter for practical correlation attacks ^{[1] [4]}.

2. Why default path selection struggles against multi‑AS collusion

Tor’s default algorithm prioritizes relay bandwidth and uses long‑lived guards to reduce exposure to malicious relays, but it does not model the Internet’s AS‑level topology or active BGP manipulation in its core decisioning; this leaves a persistent window for AS‑level observers or colluding AS groups to correlate traffic flows despite Tor’s layered encryption ^{[3] [5]}. The literature repeatedly documents that AS‑level adversaries can manipulate routing to increase their chance of observing both client→guard and exit→destination segments, undermining anonymity guarantees that assume static or independent network paths ^{[2] [6]}.

3. AS‑aware and trust‑aware countermeasures help but carry limits

A suite of AS‑aware and trust‑aware path selection proposals—Trust‑Aware Path Selection, Astoria, TOAR and other distance or location‑aware algorithms—demonstrate measurable reductions in vulnerability in experiments and simulations, and TOAR specifically reports improved anonymity while maintaining performance by minimizing detour‑induced latency ^{[7] [2] [1]}. Yet these approaches face hard limits in live deployment: path inference errors, incomplete or stale routing information, and the fact that avoidance choices can leave clients with few “safe” options, especially against colluding ASes or BGP hijacks ^{[3] [1]}. Studies also note tradeoffs between latency, usability, and the residual likelihood of compromise ^{[2] [8]}.

4. Attackers adapt: guard‑placement and routing manipulation blunt defenses

Research into adversarial strategies shows that attackers can respond to location‑ or AS‑aware selection—by placing relays strategically or by active routing attacks (RAPTOR‑style hijacks)—thereby regaining leverage despite countermeasures ^{[9] [10] [6]}. These dynamics mean that gains from AS‑awareness are not static: defenders and attackers are in an arms race where live‑network routing variability and adversary incentives shape effectiveness more than static simulations can capture ^{[9] [2]}.

5. Practical takeaway: reduced risk, not elimination—measurement caveats matter

Overall, empirical work shows AS‑aware path selection reduces the fraction of circuits vulnerable to multi‑AS collusion in live measurements, sometimes dramatically for targeted scenarios, but it does not close the problem: compromise probabilities remain non‑zero and sensitive to measurement quality, client location, and adversary capabilities ^{[1] [2] [3]}. The best practical posture today combines conservative guard strategies, improved AS‑awareness where feasible, and continued monitoring; however, the literature cautions that live routing unpredictability and active attacks mean Tor’s path selection is a mitigant rather than a cure ^{[8] [5]}.

6. Where reporting and research disagree or leave gaps

Some algorithm evaluations emphasize modest or negligible increases in certain attack vectors when colluding relays are considered, suggesting design choices can avoid creating new passive attack surfaces (a counterpoint reported in later reviews) ^[11]. Yet many primary measurements and critiques stress that real‑world routing complexity, inference error, and active adversaries make those optimistic outcomes fragile unless integrated with robust, live AS measurement and guard hardening—areas where deployment and validation remain incomplete ^{[11] [3] [1]}.