Tor’s directory protocol relies on strong synchrony assumptions, rendering it highly vulnerable to asynchrony—e.g., natural network delays or DDoS attacks. Empirical analysis shows that a low-cost, five-minute DDoS attack targeting most directory authorities (monthly cost ≈ $53.28) suffices to collapse the entire network. Method: We propose the first Tor directory protocol designed for the partial synchrony model, relaxing stringent synchrony requirements while preserving security and availability. Our design integrates standard partial-synchrony consensus primitives with cryptographic building blocks and is implemented in Rust. Contribution/Results: We provide a formal security proof under the partial synchrony model. Experimental evaluation demonstrates that our prototype achieves performance comparable to the production Tor directory protocol while effectively mitigating short-duration, low-overhead DDoS attacks. The protocol significantly enhances Tor’s robustness in realistic asynchronous network environments.

The Tor network offers network anonymity to its users by routing their traffic through a sequence of relays. A group of nine directory authorities maintains information about all available relay nodes using a distributed directory protocol. We observe that the current protocol makes a steep synchrony assumption, which makes it vulnerable to natural as well as adversarial non-synchronous communication scenarios over the Internet. In this paper, we show that it is possible to cause a failure in the Tor directory protocol by targeting a majority of the authorities for only five minutes using a well-executed distributed denial-of-service (DDoS) attack. We demonstrate this attack in a controlled environment and show that it is cost-effective for as little as $53.28 per month to disrupt the protocol and to effectively bring down the entire Tor network. To mitigate this problem, we consider the popular partial synchrony assumption for the Tor directory protocol that ensures that the protocol security is hampered even when the network delays are large and unknown. We design a new Tor directory protocol that leverages any standard partial-synchronous consensus protocol to solve this problem, while also proving its security. We have implemented a prototype in Rust, demonstrating comparable performance to the current protocol while resisting similar attacks.