Randomized Failover Intrusion Tolerant Systems (RFITS)

1. Randomized Failover Intrusion Tolerant Systems (RFITS) Ranga Ramanujan Architecture Technology Corporation Odyssey Research Associates DARPA OASIS PI Meeting July 24, 2001 Architecture Technology Corporation Specialists in Computer Architecture

2. Background - Research Goals Develop and demonstrate organic survivability techniques for mission-critical GIG applications Focus on network borne DDoS attacks packet flooding host take-down

3. Background - RFITS Approach Attacker needs knowledge of vulnerabilities choke points system “posture” Randomized failover makes prediction of system posture difficult buys sufficient time for attack neutralization to be accomplished

4. Status • Completed and delivered RFITS Applications Handbook • Compilation of survivability design patterns • Primarily targeted towards two kinds of middleware services • Survivable information transport services (SITS) • Survivable server groups (SSG) • Commenced prototype implementation of selected RFITS techniques • This presentation focuses on subset of SITS techniques

5. SITS Technique #1 Applicability - Protects many-to-one and one-to-one information flows against DDoS attacks Attacks addressed - spoofed packet floods Assumptions - A priori security association exists between end points - Attack traffic generated by outsiders Technique chokes off attack traffic as close as possible to the source

6. SITS Technique #1 (Cont’d) - Destination S can only be reached via IP multicast address, say M1 - Using RSVP, router R1 configured to filter out all downstream traffic except multicast packets - Upon detecting a flooding attack, S switches to a new multicast address M2 and securely notifies clients; it also de-registers from M1 - Clients send packets to M2; spoofed traffic goes to M1and is filtered out at R5 and R6

7. SITS Technique #2 • Protects many-to-one information flows against attack traffic generated by insider

8. SITS Technique #2 • Clients partitioned among multiple multicast channels • Upon detection of a flooding attack, suspect group is re-partitioned among new multicast channels • Enables isolation and choking off of attack traffic close to source

9. SITS Technique #3 - Variant of technique #1 - Uses source selective multicast (SSM) to conserve multicast addresses - S selects sources C1 and C2 for its address M1 - Using RSVP, router R1 configured to filter out all downstream traffic except multicast packets from C1 and C2 - Upon detecting a flooding attack, C1 and C2 reconfigured with new source addresses - S associates M1 with new addresses of C1, C2 - Using RSVP, R1 is configured with new filters for C1,C2

10. SITS Technique #4 • Variant of technique #3 • Uses unicast destination addresses instead of multicast addresses • Can be deployed on today’s Internet; not dependent on widespread deployment of IP multicast • However, unlike technique #3, filters attack traffic at R1 instead of close to the source at R5 and R6

11. VPN Gateway Prototype • Interconnects geographically distributed sub-nets of an enterprise-wide private network using secure, DoS-resistant VPNs • Implementation status • Unit testing of VPN gateway software completed; integration testing in progress • Initial release of prototype to be completed by Sept. 1, 2001 • Final release scheduled for December 2001

12. Planned Prototyping Effort • Initial RFITS Prototyping - Dec. 2001 • Standalone demonstration of prototype products implementing RFITS survivability techniques • RFITS VPN Gateway • RFITS VPN Client • Final RFITS Prototyping - Sept. 2002 • Enterprise-wide survivable application using integrated set of RFITS techniques