Skip to content

Entry Guards

Explain me…

…Entry Guards!

You probably should look at the Tor FAQ:

I used it as reference, but added other stuff and left out the math.¹

My glossary gives some information about Entry Guards, but this should be more helpful to understand it.

This document aims to answer the following questions:

  • What are Entry Guards?
  • Why does Tor only use a few nodes to connect to the network at a time?
  • What is the reasoning behind Entry Guards?
  • How do Guards work?

Entry Guards limit the exposure of clients to the Tor network.

Since the Tor network relies on volunteers running relays anyone can, at least potentially, participate. So attackers could set up relays and see which IP addresses connect to them. They don’t learn what those are doing, but where they are coming from. When the Tor client would pick a new entry nodes for every new circuit it builds chances are high that this client connects to an attacker controlled relay for some circuits. That enables attackers to profile clients.

Tor is a low-latency anonymity tool and because of the design of low-latency anonymity tools traffic correlation based on traffic volume and timing is pretty simple and can’t be defeated, as of yet. When an attacker controls entries and exits he could correlate the traffic that goes in and out. When the Tor client would use a new entry node for every circuit it builds it is most likely to happen that the client hits an attacker controlled entry for some circuits.

Tor was behaving like that, but the design was improved by introducing Entry Guards. Now Tor clients pick one node at random and use them as their entry node for some time, before rotating it. Previously Tor clients would have picked three guards, but it was reduced to “just” one guard at a time to reduce the ability to fingerprint users based on their guard set.

Now clients could pick a “good” node and an adversary operating a malicious guard can’t correlate traffic at all; obviously clients can still pick a “bad” entry node which would enable an attacker to correlate client traffic. Chances are higher not to get profiled, while there was no way to eliminate it before the introduction of Entry Guards.

Instead of picking an Entry Guard at random from all available relays, the Tor client picks an Entry Guard out of a set of relays which got the Guard flag. When you look at the relays the Tor network has at the state of August 2012 (see below) you notice that there are a total of 3000 relays and around 900 relays with a guard flag.

Running relays, Guard flags in August 2012 source: Running and Guard

Clients pick a guard at random and also set an expiry time of 30-60 days [outdated]. After 30-60 days [outdated] the clients pick a guard at random again.[2] Clients also replace their guard if it becomes unavailable.

A relay has to fulfill certain criteria to get the Guard flag by the authorities. Its Weighted Fractional Uptime is at least the median for “familiar” active routers, and if its bandwidth is at least median or at least 250KB/s[1][outdated]


¹ I didn’t consider the math to be complicated this time, but a little confusing.

This information is valid, at least, up to October 2012. [some stuff is no longer they way it was since 2014, but the basics are the same]

When you would like to help to improve this document you can either email me or send me feedback through the web form. When you find some part to be too technical and too hard to understand feel free to contact me as well.

I find it rather difficult to learn about Tor and how it works regarding to some details, without diving deep into specifications, which is pretty bad for “normal people” which are interested a little.

It’s also difficult for me to explain things in a way which is, at least I hope so, easy to understand. I have to admit that the FAQs of Tor are well written in a user-friendly way, but obviously can’t cover everything and not to its full depth.

%d bloggers like this: