Blind Relay Abuse Guard
How AeroNyx Rust nodes detect loops, replay attempts, relay rate limits, and peer quarantine while keeping relay nodes blind to payloads, endpoints, route IDs, and social graph edges.
Blind Relay Abuse Guard
Blind Relay Abuse Guard is the AeroNyx Rust node safety layer that detects abusive relay behavior while preserving the protocol's blind-node invariant.
It gives operators enough aggregate evidence to keep a commercial privacy network stable, but it does not turn nodeboard or any relay node into a traffic viewer.
Status
| Capability | Status |
|---|---|
| Blind relay loop detection counter | Implemented |
| Blind relay replay-drop counter | Implemented |
| Relay rate-limit counter | Implemented |
| Peer quarantine counter | Implemented |
| Quarantine-start counter | Implemented |
| Per-peer health summary by node-id prefix | Implemented |
| nodeboard Security / Relay Protection display | Implemented |
| Payload parsing by relay | Prohibited |
| Route ID, endpoint, or social graph display | Prohibited |
Non-negotiable invariant
AeroNyx relay nodes are blind.
They may forward encrypted envelopes and report aggregate protection counters. They must not read, infer, or display:
- plaintext messages
- packet payloads
- DNS contents
- destinations, domains, URLs, or browsing history
- full route IDs or relay paths
- client public IPs
- complete node public keys in operator UI
- Memory Chain plaintext
- private keys, voucher secrets, or wallet-level traffic
- social graph edges or who is talking to whom
This is the dividing line between an open privacy protocol and a collection of trusted middleboxes.
What the guard reports
Rust reports blind relay protection in:
system_stats.discovery_status.peer_store.runtime.blind_relay
system_stats.discovery_status.peer_store.peer_health_summary
nodeboard renders this under:
Node Detail -> Discovery -> Security / Relay Protection
This section intentionally lives inside node detail instead of the first-level Services page. It is node-scoped evidence, not a fleet service module.
runtime.blind_relay
runtime.blind_relay is an aggregate counter object for the local Rust node.
| Field | Meaning |
|---|---|
received | Blind relay envelopes received by this node. |
terminal | Envelopes that terminated at this node. |
forwarded | Envelopes forwarded to another node. |
rejected | Envelopes rejected by relay protection. |
backpressure_dropped | Drops caused by local queue or backpressure protection. |
invalid_signature | Signature validation failures. |
envelope_too_large | Envelopes rejected for size. |
ttl_exhausted | Envelopes rejected because hop TTL was exhausted. |
no_route | Envelopes with no eligible forwarding route. |
invalid_endpoint | Forwarding endpoint rejected as invalid. |
forward_failed | Forwarding attempt failed. |
loop_detected | Loop guard detected the previous hop or route would cycle. |
replay_dropped | Replay guard dropped a duplicate envelope. |
rate_limited | Peer or previous-hop relay rate limit was applied. |
quarantined | Relay work dropped because the peer was quarantined. |
quarantine_started | A peer entered quarantine after repeated bad relay behavior. |
retry_attempted | Forward retry attempted. |
retry_succeeded | Forward retry succeeded. |
retry_exhausted | Forward retry budget exhausted. |
last_event_at | Last local relay protection event timestamp. |
The important rule: these are node counters only. They are not message-level logs and are not user-level analytics.
peer_health_summary
peer_health_summary is a per-peer health bucket summary. It lets a node know which peers appear healthy, degraded, failing, or quarantined without revealing user communication.
Allowed fields include:
node_id_prefixhealth- descriptor health
- source bucket
- last successful gossip age
- route success and failure counts
- last route failure reason bucket
- relay rejection counts
- relay loop/replay/rate-limit/quarantine counts
- quarantine remaining seconds
- last relay rejection or quarantine reason bucket
Not allowed:
- full node public keys in the operator UI
- route IDs
- endpoints
- encrypted blobs
- message IDs
- client public IPs
- destinations
- payloads
- social graph edges
Current file paths
| Layer | File path | Role |
|---|---|---|
| Rust blind relay API | /root/open/AeroNyx/crates/aeronyx-server/src/api/chat_peer.rs | Applies loop, replay, rate-limit, and quarantine decisions without parsing payloads. |
| Rust PeerStore | /root/open/AeroNyx/crates/aeronyx-server/src/services/peer_store.rs | Stores aggregate peer relay health and emits peer_health_summary. |
| Rust health API | /root/open/AeroNyx/crates/aeronyx-server/src/api/vpn_health.rs | Exposes local privacy-safe health JSON. |
| Rust heartbeat reporter | /root/open/AeroNyx/crates/aeronyx-server/src/management/reporter.rs | Sends aggregate status in node heartbeat metadata. |
| Backend observability | /root/aeronyx/privacy_network/api/vpn_observability.py | Passes owner-scoped node system metadata to nodeboard. |
| nodeboard types | /root/open/nodeboard/types/index.ts | Defines DiscoveryBlindRelayStats, DiscoveryPeerHealthSummary, and related rows. |
| nodeboard detail UI | /root/open/nodeboard/app/dashboard/nodes/[id]/page.tsx | Renders Security / Relay Protection inside Discovery. |
| nodeboard i18n | /root/open/nodeboard/lib/i18n/index.ts | Provides multilingual operator labels and privacy-boundary copy. |
Operator workflow
Open https://app.aeronyx.network, select a node, then inspect:
- Discovery for peer count, valid peers, gossip freshness, bootstrap source, seed recovery, and peer cache state.
- Relay foundation for Rust-authored discovery readiness.
- Security / Relay Protection for loop detection, replay drops, rate limits, quarantine counters, and peer health buckets.
- Recent discovery audit for privacy-safe control-plane events.
If loop_detected, replay_dropped, rate_limited, quarantined, or quarantine_started increases, treat it as node-level abuse or instability evidence. It is not evidence of a specific user conversation.
How this supports future multi-hop and onion-style routing
Multi-hop and onion-style routing require the base network to reject bad relay behavior before route construction becomes more complex.
Blind Relay Abuse Guard provides:
- bounded relay failure counters
- previous-hop abuse containment
- peer quarantine state
- replay protection evidence
- route health buckets
- operator visibility without payload visibility
This keeps the foundation compatible with future layered encryption, cover-traffic research, and agent-to-agent encrypted services.
Developer rules
When extending this area:
- Add only aggregate counters or reason buckets to nodeboard.
- Do not add route IDs, endpoint lists, full node public keys, message IDs, payload hashes, client IPs, or destination fields.
- Keep Rust relay logic blind to
payload_b64contents. - Keep nodeboard under Node Detail / Discovery unless the data becomes a fleet-level decision surface.
- Update this page whenever a new protection counter or peer-health bucket is added.