1. Randomized Failover Intrusion Tolerant Systems (RFITS) Ranga Ramanujan Architecture Technology Corporation Odyssey Research Associates DARPA OASIS PI Meeting July 24, 2001 Architecture Technology Corporation Specialists in Computer Architecture

2. Background - Research Goals Develop and demonstrate organic survivability techniques for mission-critical GIG applications Focus on network borne DDoS attacks packet flooding host take-down

3. Background - RFITS Approach Attacker needs knowledge of vulnerabilities choke points system “posture” Randomized failover makes prediction of system posture difficult buys sufficient time for attack neutralization to be accomplished

4. Status • Completed and delivered RFITS Applications Handbook • Compilation of survivability design patterns • Primarily targeted towards two kinds of middleware services • Survivable information transport services (SITS) • Survivable server groups (SSG) • Commenced prototype implementation of selected RFITS techniques • This presentation focuses on subset of SITS techniques

5. SITS Technique #1 Applicability - Protects many-to-one and one-to-one information flows against DDoS attacks Attacks addressed - spoofed packet floods Assumptions - A priori security association exists between end points - Attack traffic generated by outsiders Technique chokes off attack traffic as close as possible to the source

6. SITS Technique #1 (Cont’d) - Destination S can only be reached via IP multicast address, say M1 - Using RSVP, router R1 configured to filter out all downstream traffic except multicast packets - Upon detecting a flooding attack, S switches to a new multicast address M2 and securely notifies clients; it also de-registers from M1 - Clients send packets to M2; spoofed traffic goes to M1and is filtered out at R5 and R6

7. SITS Technique #2 • Protects many-to-one information flows against attack traffic generated by insider

8. SITS Technique #2 • Clients partitioned among multiple multicast channels • Upon detection of a flooding attack, suspect group is re-partitioned among new multicast channels • Enables isolation and choking off of attack traffic close to source

9. SITS Technique #3 - Variant of technique #1 - Uses source selective multicast (SSM) to conserve multicast addresses - S selects sources C1 and C2 for its address M1 - Using RSVP, router R1 configured to filter out all downstream traffic except multicast packets from C1 and C2 - Upon detecting a flooding attack, C1 and C2 reconfigured with new source addresses - S associates M1 with new addresses of C1, C2 - Using RSVP, R1 is configured with new filters for C1,C2

10. SITS Technique #4 • Variant of technique #3 • Uses unicast destination addresses instead of multicast addresses • Can be deployed on today’s Internet; not dependent on widespread deployment of IP multicast • However, unlike technique #3, filters attack traffic at R1 instead of close to the source at R5 and R6

11. VPN Gateway Prototype • Interconnects geographically distributed sub-nets of an enterprise-wide private network using secure, DoS-resistant VPNs • Implementation status • Unit testing of VPN gateway software completed; integration testing in progress • Initial release of prototype to be completed by Sept. 1, 2001 • Final release scheduled for December 2001

12. Planned Prototyping Effort • Initial RFITS Prototyping - Dec. 2001 • Standalone demonstration of prototype products implementing RFITS survivability techniques • RFITS VPN Gateway • RFITS VPN Client • Final RFITS Prototyping - Sept. 2002 • Enterprise-wide survivable application using integrated set of RFITS techniques