PeerFlow is a newly presented system to load balance client traffic for Tor securely. To promote security within Tor, no adversary should be allowed to handle a large percentage of the traffic. Nevertheless, Tor’s relay nodes are run by volunteering individuals whose reporting of the relay bandwidths can’t be trusted. This is of great significance given the fact that Tor clients use relay bandwidths to load traffic balancing.
Creators of PeerFlow have shown that the currently used methods to predict Tor relays’ bandwidth allows an adversary, who controls little bandwidth, to attack a large percentage of client traffic. These methods include TorFlow; the current Tor bandwidth scanning system and EigenSpeed; a peer measurement system. PeerFlow offers an innovated design that utilizes a peer measurement approach to limit the ability of an adversary to boost his/her measured bandwidth while also improving the overall accuracy. The system has been proven to be fast, secure and highly efficient. PeerFlow was implemented in Tor which demonstrated accuracy and high speed within the context of a large scale network ecosystem.
An Overview of PeerFlow’s Approach:
PeerFlow utilizes a pair of relay measurement techniques which are:
1- Each relay node reports the exact number of bytes it received and/or sent from other relay nodes across the network.
2- Each relay node reports its unused, i.e. available, bandwidth.
Measurements derived from the first technique are used to predict the total amount of bytes transferred after subtracting a weight fraction, of value λ of the smallest and largest values; thus, an adversary, controlling less than λ of the network’s bandwidth, will never be able to manipulate the outcome. Measurements derived from trusted relay nodes, whenever available, are used to make sure that the estimated amounts of transferred bytes are not unreasonably low or high.
The measurements derived from the second technique will allow the network to discover the amount of available, or unused, bandwidth. However, this design is vulnerable to be lied to by an adversary, so PeerFlow is designed to consider increasing consensus’ weight of a given relay node, only after consulting the results of the first measurement technique and confirming that the first relay node has handled the expected traffic amount. Further methods are utilized to boost the accuracy, privacy and speed of the aforementioned measurements and to securely introduce new relay nodes into the system.
The authors of the paper that presented PeerFlow have demonstrated Tor’s vulnerability to adversaries controlling large relay nodes. It is clear that with the current TorFlow system for bandwidth measurement and the EigenSpeed system, adversaries can deceivingly make small relay nodes appear larger, which can markedly reduce the cost of an attack on the network. PeerFlow’s approach markedly limits an adversary’s ability to deceive Tor about the real bandwidth of his/her relay nodes, while demonstrating a performance that is somehow comparable to Tor’s present performance.
Analyzing PeerFlow’s Speed and Efficiency:
The below figure shows the measurement times’ distribution of PeerFlow over the bytes transferred.
Measurement times that are less than 14 days are shown, which comprise 96.8% of times in terms of the capacity of relay nodes. 11.5 hours represents the 25th percentile measurement time, while 70.7 hours represents the 75th percentile. Relay nodes with measurement times greater than 14 days exhibit low capacity, which is below Tor’s requirement of 100 Kb/sec for fast relay nodes and 250 Kb/sec for guard nodes. By increasing these requirements by 150%, to 250 Kb/sec for fast relay nodes and 625 Kb/sec for guard nodes, and excluding relay nodes with capacities that don’t meet these requirements, the maximum measurement time can be reduced to 316.4 hours.
The results of experimenting PeerFlow have shown that the overall dummy traffic necessary to avoid probation was in most cases equal to 2.38 KiB/sec over time and on all experiment instances, with variable standard deviation on all experiment instances too. This amount is considered rather small when compared to the median network wide goodput of PeerFlow which averages around 428 MiB/sec.
Creators of PeerFlow are willing to continue working on Peerflow to improve it in terms of scalability, and security improvement to further decrease an adversary’s ability to inflate the weight of his/her relay nodes.