Network traffic analysis threatens anonymity even with encryption. Sophisticated adversaries analyze patterns, timing, and volume to identify users. Understanding these attacks and defensive techniques is crucial for maintaining anonymity against well-funded opponents.

Traffic Analysis Fundamentals

Traffic analysis examines metadata: packet sizes, timing between packets, traffic volume, and communication patterns. Encryption hides content but not metadata. Observers correlate patterns across network to identify relationships and deanonymize users.

Global passive adversaries monitoring large network sections can correlate Tor entry/exit traffic. Even without decryption, statistical analysis reveals user behavior and identities.

Timing Attacks

Timing attacks correlate activity timestamps. If you access service at exact moment someone posts, correlation suggests you're the poster. Timing analysis works across anonymous networks revealing connections encryption can't hide.

Defense: Randomize activity timing. Don't perform actions immediately. Use delayed sending, random delays, or automated scheduling to break timing correlations.

Traffic Correlation

Adversaries compare entry and exit traffic patterns. Unique traffic patterns (specific sizes, timing) entering Tor correlate with patterns exiting, deanonymizing users. Volume, timing, and packet characteristics all contribute to correlation.

Tor provides some protection through mixing but isn't perfect against global adversaries monitoring large network portions. Adding cover traffic, varying patterns, and using multiple paths helps resist correlation.

Website Fingerprinting

Even encrypted Tor traffic has patterns based on website structure. Page sizes, loading sequences, and resource requests create fingerprints identifying websites through encrypted connections. Adversaries monitoring entry node can guess destinations.

Defenses: Tor Browser pads traffic, randomizes loading. Higher security levels provide more protection. Website design minimizing fingerprints helps: similar page sizes, uniform resource loading, fewer unique elements.

Long-Term Statistical Attacks

Observing patterns over weeks or months reveals behaviors that individual sessions hide. Long-term analysis shows activity schedules, geographic locations, interests, and social networks despite session anonymity.

Defense requires discipline: irregular schedules, varying locations (if using mobile), changing behavior patterns, and limiting long-term pseudonymous identities.

Cover Traffic

Sending dummy traffic obscures real communications. Constant background traffic makes identifying meaningful communications harder. But cover traffic costs bandwidth and doesn't help if adversary can eliminate dummy traffic through analysis.

Practical cover: Browse random sites regularly, send meaningless messages, maintain constant connections. But don't rely solely on cover traffic - combine with other defenses.

Multi-Hop Networks

Using VPN before Tor, or Tor before VPN, adds complexity to correlation. Multiple jurisdictions, providers, and paths increase attack difficulty. But also increases complexity and potential failure points.

Each hop must be trusted to some degree. More hops means more trust requirements and more potential for mistakes.

Best Practices

Against traffic analysis: Use Tor consistently, never clearnet. Vary timing patterns. Minimize session durations. Avoid unique identifiable behaviors. Assume powerful adversaries and plan accordingly. Perfect resistance impossible but defense in depth reduces success rates.

Most users aren't targeted by global adversaries. But understand these attacks exist and adjust behavior for threat models requiring this level of protection.