11
Randomized Failover Intrusion Randomized Failover Intrusion Tolerant Systems (RFITS)Tolerant Systems (RFITS)
Ranga RamanujanRanga Ramanujan
Architecture Technology CorporationArchitecture Technology CorporationOdyssey Research AssociatesOdyssey Research Associates
DARPA OASIS PI MeetingDARPA OASIS PI MeetingJuly 24, 2001July 24, 2001
Architecture Technology CorporationSpecialists in Computer Architecture
22
Background - Research GoalsBackground - Research Goals Develop and Develop and
demonstrate demonstrate organic organic survivability survivability techniques for techniques for mission-critical mission-critical GIG applicationsGIG applications
Focus on network Focus on network borne DDoS borne DDoS attacksattacks• packet packet
floodingflooding• host take-host take-
downdown
Shared IP Bac kbone Netw ork
A SP 2 Netw ork
10.1.1.x s ub-net
10.1.2.x s ub-net
10.1.3.x s ub-net
A SP 3 Netw ork
A S P 1P riv a t e V ir t u a l N e t wo rk
1 0 . 1 . x . x
33
Background - RFITS ApproachBackground - RFITS Approach Attacker needs Attacker needs
knowledge ofknowledge of• vulnerabilitiesvulnerabilities• choke pointschoke points• system system
“posture”“posture” Randomized Randomized
failover makes failover makes prediction of prediction of system posture system posture difficultdifficult• buys sufficient buys sufficient
time for attack time for attack neutralization to neutralization to be accomplishedbe accomplished
Shared IP Bac kbone Netw ork
A SP 2 Netw ork
10.1.1.x s ub-net
10.1.2.x s ub-net
10.1.3.x s ub-net
A SP 3 Netw ork
A S P 1P riv a t e V ir t u a l N e t wo rk
1 0 . 1 . x . x
44
StatusStatus Completed and delivered RFITS Applications Completed and delivered RFITS Applications
HandbookHandbook• Compilation of survivability design patterns Compilation of survivability design patterns • Primarily targeted towards two kinds of middleware Primarily targeted towards two kinds of middleware
servicesservices– Survivable information transport services (SITS)Survivable information transport services (SITS)– Survivable server groups (SSG)Survivable server groups (SSG)
Commenced prototype implementation of Commenced prototype implementation of selected RFITS techniquesselected RFITS techniques
This presentation focuses on subset of SITS This presentation focuses on subset of SITS techniquestechniques
55
SITS Technique #1SITS Technique #1ApplicabilityApplicability
- Protects many-to-one and - Protects many-to-one and one-to-one information flows one-to-one information flows against DDoS attacksagainst DDoS attacks
Attacks addressedAttacks addressed- spoofed packet floods- spoofed packet floods
AssumptionsAssumptions- A priori security association - A priori security association exists between end pointsexists between end points
- Attack traffic generated - Attack traffic generated by outsidersby outsiders
Technique chokes off attack Technique chokes off attack traffic as close as possible to traffic as close as possible to the sourcethe source
R1
R
S
X 1
R5
C 1
R4
R2
X 2
R6
C 2
R7
R3
Spoofers
66
SITS Technique #1 (Cont’d)SITS Technique #1 (Cont’d)
- Destination S can only be - Destination S can only be reached via IP multicast reached via IP multicast address, say M1address, say M1- Using RSVP, router R1 - Using RSVP, router R1 configured to filter out all configured to filter out all downstream traffic except downstream traffic except multicast packetsmulticast packets- Upon detecting a flooding - Upon detecting a flooding attack, S switches to a new attack, S switches to a new multicast address M2 and multicast address M2 and securely notifies clients; it securely notifies clients; it also de-registers from M1also de-registers from M1- Clients send packets to - Clients send packets to M2; spoofed traffic goes to M2; spoofed traffic goes to M1and is filtered out at R5 M1and is filtered out at R5 and R6and R6
R1
R
S
X 1
R5
C 1
R4
R2
X 2
R6
C 2
R7
R3
Spoofers
77
SITS Technique #2SITS Technique #2
Protects many-to-one information flows Protects many-to-one information flows against attack traffic generated by insideragainst attack traffic generated by insider
Serv er
Clien tGroup
ClientGroup
ClientGroup
ClientGroup
ClientGroup
ClientGroup
ClientGroup
ClientGroup
MC Group MC GroupMC GroupMC GroupMC GroupMC GroupMC GroupMC Group
88
SITS Technique #2SITS Technique #2
Clients partitioned Clients partitioned among multiple among multiple multicast channelsmulticast channels
Upon detection of a Upon detection of a flooding attack, flooding attack, suspect group is re-suspect group is re-partitioned among partitioned among new multicast new multicast channelschannels
Enables isolation Enables isolation and choking off of and choking off of attack traffic close to attack traffic close to sourcesource
Serv er
ClientGroup
ClientGroup
ClientGroup
ClientGroup
ClientGroup
ClientGroup
ClientGroup
MC Group MC GroupMC GroupMC GroupMC GroupMC GroupMC Group
MC Group MC GroupMC GroupMC Group MC Group MC GroupMC Group MC Group
ClientGroup
ClientGroup
ClientGroup
ClientGroup
ClientGroup
ClientGroup
ClientGroup
ClientGroup
99
SITS Technique #3SITS Technique #3
- Variant of technique #1- Variant of technique #1- Uses source selective multicast - Uses source selective multicast (SSM) to conserve multicast (SSM) to conserve multicast addressesaddresses- S selects sources C1 and C2 for - S selects sources C1 and C2 for its address M1its address M1- Using RSVP, router R1 - Using RSVP, router R1 configured to filter out all configured to filter out all downstream traffic except downstream traffic except multicast packets from C1 and multicast packets from C1 and C2C2- Upon detecting a flooding - Upon detecting a flooding attack, C1 and C2 reconfigured attack, C1 and C2 reconfigured with new source addresseswith new source addresses- S associates M1 with new - S associates M1 with new addresses of C1, C2addresses of C1, C2- Using RSVP, R1 is configured - Using RSVP, R1 is configured with new filters for C1,C2with new filters for C1,C2
R1
R
S
X 1
R5
C 1
R4
R2
X 2
R6
C 2
R7
R3
Spoofers
1010
SITS Technique #4SITS Technique #4
Variant of technique #3Variant of technique #3 Uses unicast destination Uses unicast destination
addresses instead of addresses instead of multicast addressesmulticast addresses• Can be deployed on Can be deployed on
today’s Internet; not today’s Internet; not dependent on dependent on widespread deployment widespread deployment of IP multicastof IP multicast
However, unlike technique However, unlike technique #3, filters attack traffic at #3, filters attack traffic at R1 instead of close to the R1 instead of close to the source at R5 and R6source at R5 and R6
R1
R
S
X 1
R5
C 1
R4
R2
X 2
R6
C 2
R7
R3
Spoofers
1111
VPN Gateway PrototypeVPN Gateway Prototype
Interconnects geographically distributed sub-nets of an enterprise-wide private network Interconnects geographically distributed sub-nets of an enterprise-wide private network using secure, DoS-resistant VPNsusing secure, DoS-resistant VPNs
Implementation status Implementation status • Unit testing of VPN gateway software completed; integration testing in progressUnit testing of VPN gateway software completed; integration testing in progress• Initial release of prototype to be completed by Sept. 1, 2001Initial release of prototype to be completed by Sept. 1, 2001• Final release scheduled for December 2001Final release scheduled for December 2001
ISP Router ISP Router
V PN Gatew ay 1 V PN Gatew ay 2
P ublic Internet10.10.1.x s ubnet 10.10.2.x s ubnet
E nterprise-W ide P rivateNetwork
1212
Planned Prototyping EffortPlanned Prototyping Effort
Initial RFITS Prototyping - Dec. 2001Initial RFITS Prototyping - Dec. 2001• Standalone demonstration of prototype Standalone demonstration of prototype
products implementing RFITS survivability products implementing RFITS survivability techniquestechniques– RFITS VPN GatewayRFITS VPN Gateway– RFITS VPN Client RFITS VPN Client
Final RFITS Prototyping - Sept. 2002Final RFITS Prototyping - Sept. 2002• Enterprise-wide survivable application using Enterprise-wide survivable application using
integrated set of RFITS techniquesintegrated set of RFITS techniques