Continuation from previous post: 1
Waterfilling: Balancing The Tor Network With Maximum Diversity
This paper is proposing a new tor circuit path selection algorithm that makes bigger nodes run middle/relay traffic more often and smaller nodes more become exits exits. Apparently the talk included an abridged history of tor’s path selection:
- 2003: Uniform at random
- 2004: Introduce bandwidth weighting for performance
- 2005: add Guards based on Helper nodes
- 2010: add bandwidth weights to map node capacity into probability of use in different positions (guard, middle, exit)
The main goal of this new algorithm is to make very large tor servers (which are a higher risk of being used in a traffic correlation attack because they serve a higher percentage of tor clients) serve more relay traffic, and less guard or exit traffic. Because, if you are going to correlate the traffic of a tor user, the most likely way to do this would be to correlate the traffic at the guard and at the exit and if you had a limited budget, why not target the biggest servers. Making much smaller nodes handle more exit traffic, it’s harder for an adversary to pull off an attack like this. In other words they would have to monitor a lot more systems in (hopefully) geographically disparate and difficult-to-access areas.
I get the feeling this has some benefit for specific attack vectors but it might just moving the target around. I wonder what kind of risk there would be of letting clients choose their own algorithm based on their threat model.
Next at #PETS17 : "Waterfilling: Balancing the Tor network with maximum diversity". Florentin Rochet presenting.
— Nick Mathewson (@nickm_tor) July 18, 2017
PeerFlow: Secure Load Balancing in Tor
Along the same lines as the Waterfilling talk, this paper presents PeerFlow – a bandwidth measurement method and a successor to TorFlow and EigenSpeed.
TorFlow: “TorFlow is a set of python scripts written to scan the Tor network for misbehaving, misconfigured, and overloaded Tor nodes. The ultimate goal is to build an automated, distributed reputation system that feeds into the directory servers and provides them with information on the reliability, capacity, and trustworthiness of routers, so that they can set flags that clients can use in routing decisions.” The paper outlines some attack vectors for TorFlow which could have trick it into seeming like a node has more availability and trustworthiness than it should. This is legacy and people at the Tor Project were looking for a replacement.
EigenSpeed: A secure and accurate peer-to-peer bandwidth evaluation system. I don’t know if it’s fully implemented but in any case, it’s an alternative solution for bandwidth measurement and tries to be more secure and reliable.
PeerFlow aims to be 3.5 times more difficult to spoof than TorFlow and be very similar in performance. It uses two techniques to try to measure a relay and then factors them into each other when trying to detect if a relay is lying. One is to check how many bytes sent by the node and the other is how much unused bandwidth is available. Both are measurable and can be correlated to defend against a node lying about its capacity. I’ll admit that I did not understand the full scope of the measurement but it sounds like Nick Mathewson thinks this might be a viable improvement. (Or it’s in such a dire state that he’ll accept just about anything. I’m not sure.)
Last of this #pets17 section: Aaron Johnson presents "PeerFlow: Secure Load Balancing in Tor" https://t.co/KZlnxdoD2w
— Nick Mathewson (@nickm_tor) July 18, 2017