[freehaven-dev] Against adversaries who want their MIXes listed as most reliable

[Roger Dingledine <arma@mit.edu>]

I've been pondering the problem of selective denial of service attack
as a way to boost your (relative) node reputation. I'll quote from the
paper briefly to give some background:

>Eve could gain a high reputation and thus get more traffic routed through
>her MIX, in order to make traffic analysis easier. In a system without
>reputations, the way to purchase more traffic to analyze is not so clear;
>now it is simply a matter of maintaining a reliable MIX. In addition,
>the adversary now has incentive to degrade or sabotage the performance of
>other nodes to make his relative reputation higher. This kind of attack
>was described by RProcess as ``selective denial of service'': the bad
>guys want traffic to go through their nodes, so they ensure that all
>other nodes are less reliable \cite{RProcess}. As recent distributed
>denial of service attacks demonstrate, crippling an Internet host can
>be easy. Scorers must expire ratings promptly enough to prevent an
>adversary from easily tarnishing the reputations of all other MIXes;
>this system tuning will be extremely complex and difficult.

One thing we've always pondered was that we would never have only one
such adversary -- eg, the NSA would not simply walk in and take over the
system. Rather, if it's to the point where a large organization actually
cared to put effort into it, then chances are there would be several or
many such organizations all vying for control. Thus the stakes would
be a lot higher, but there would still not be one single organization
running all the reputable MIXes.

How well does this argument actually hold up? Where does it fail, where
does it succeed? Are there other (alternate) arguments that might help
the issue?

--Roger