Tor is a popular low-latency anonymity network. However, Tor does not protect against the exploitation of an insecure application to reveal the IP address of, or trace, a TCP stream. In addition, because of the linkability of Tor streams sent together over a single circuit, tracing one stream sent over a circuit traces them all. Surprisingly, it is unknown whether this linkability allows in practice to trace a significant number of streams originating from secure (i.e., proxied) applications. In this paper, we show that linkability allows us to trace 193% of additional streams, including 27% of HTTP streams possibly originating from ``secure'' browsers. In particular, we traced 9% of Tor streams carried by our instrumented exit nodes. Using BitTorrent as the insecure application, we design two attacks tracing BitTorrent users on Tor. We run these attacks in the wild for 23 days and reveal 10,000 IP addresses of Tor users. Using these IP addresses, we then profile not only the BitTorrent downloads but also the websites visited per country of origin of Tor users. We show that BitTorrent users on Tor are over-represented in some countries as compared to BitTorrent users outside of Tor. By analyzing the type of content downloaded, we then explain the observed behaviors by the higher concentration of pornographic content downloaded at the scale of a country. Finally, we present results suggesting the existence of an underground BitTorrent ecosystem on Tor.
I would be very careful of the nodes I'm connected to on Tor. It was developed for the US Military and I wouldn't be surprised if most of the high-speed nodes are run (and monitored) by the US government. This is not a problem if you're trying to use Facebook in China but I wouldn't rely on it for file-sharing. It has been proven that IP addresses using BitTorrent can be revealed if you control the exit node.
Furthermore, anyone could inspect the headers of traffic to distinguish between different uses of encryption. Certain traffic also has different properties like common ports (though this is usually easy to change), transfer protocols (TCP, UCP, uTP), or technical properties of the packets sent (timing, size, etc.). Peer-to-peer traffic also has a signature footprint due to the sheer size of connections to unique destinations that are made during a transfer.
A large amount of concurrent, identical encrypted connections to a multitude of destinations stemming from a single source could be easily identified as peer-to-peer traffic. In fact, I used this method to identify BitTorrent users when my home network slowed down. I didn't use anything other than what was provided by my router's traffic status screen.
In terms of real world censorship, China's firewall can easily differentiate between VOIP and Skype audio, banning the former while allowing the latter (source). They also actively look for VPNs being used for non-business purposes(source). If technology can be used to make peer-to-peer applications, other technology can certainly be used to discourage their general use.
