Randomized Failover Intrusion Tolerant Systems (RFITS) Ranga Ramanujan Doug Long Architecture Technology Corporation Odyssey Research Associates DARPA OASIS PI Meeting February 14, 2001

Project Background Research Objective –Develop and demonstrate design techniques for building survivable information systems Organic survivability mechanisms to resist DoS attacks Focus on real-time, high availability military systems RFITS Approach –Sustain system operation at an acceptable service level from the time a DoS attack starts to the time the attack is neutralized and the system is reconstituted –Tactics employed by RFITS survivability techniques include Dodging Elusiveness Obfuscation Information hiding Camouflage

Project Background (Cont’d) Project deliverables –RFITS Application Handbook Compilation of design patterns for building survivable systems. Each entry will include –Motivation –Applicability (Usage scenarios) –Attacks addressed –Design assumptions –Implementation issues –Prototype Software Two-pronged approach for deriving RFITS techniques –Analysis of candidate mission-critical systems –Bottom-up analysis of foundation services for high-availability systems

Accomplishments Completed analysis of two candidate systems –Location-Aware Wireless Network Services (LAWNS) –Satellite based information dissemination services Completed analysis of internal clock synchronization protocols Developed initial set of design patterns for survivable systems, including –Dynamic address reconfiguration –Randomized dispatcher –Callback –Survivable clock synchronization –Fail-stop processors

Dynamic Address Reconfiguration Applicability - Protects many-to-one and one- to-many client-server interactions against DDoS attacks Attacks addressed - spoofed packet floods * host resource depletion * network access link depletion Assumptions - Clients are “known” to server - Clients are trustworthy - Attack traffic generated by non-clients

Dynamic Address Reconfiguration (Cont’d) Service provided (Policy enforced) Choke off attack traffic as close as possible to the source Operation of mechanism - Destination S can only be reached indirectly via IP multicast address, say M1 - Router R configured to filter out all downstream traffic except multicast packets - Upon detecting a flooding attack, S switches to a new multicast address M2 and securely notifies clients; it also de-registers from M1 - Clients send packets to M2; spoofed traffic goes to M1and is filtered out at R5 and R6

Alternative Implementation Uses “eluding” tactic versus “dodging” Destination periodically switches to a new multicast address and notifies all clients via secure channels Incurs higher performance overhead but is provides better protection against sophisticated snoopers Stronger protection may require camouflaging techniques to counter traffic analysis

Some Implementation Issues Hiding source addresses of responses from S –Use “deflector” pattern Scaling to large number of clients –Recursively apply pattern Protection against snoopers close to client –Use “deflector” pattern Accommodating legacy TCP applications –Split connection using proxy pair Supporting multiple services behind single access link –Use reserved virtual pipes S III CCCCCC

Randomized Dispatcher Applicability - Enables survivable server groups that are resistant to host disabling attacks Attacks addressed - “single shot” host takedown, e.g., IP stack attack Assumptions - diversity of host implementations - legitimate clients are “known” - attacks do not originate at clients - server group availability services protected by “hardcore” techniques Servers are configured in a multicast group. Flows are continually switched between servers in the group (information hiding).

Composite Technique Service provided (Policy enforced) - Dynamic address reconfiguration and randomized dispatching in tandem deflect offending traffic from victim Operation of mechanism - Anomaly based detection of host attack triggers server group address reconfiguration - Address reconfiguration is propagated through “suspected” portions of the network - supports efficient localized recovery S I1I2I3 CCCCCC

Callback Applicability - Survivable dial-on-demand link set-up between IP subnets Attacks addressed - dial port flooding Operation - Upon detecting an attack, victim router calls back a “randomly” chosen detour router - Primary router tunnels all packets for victim through the detour router Assumptions - callback list on victim router is not known to attacker - security association exists between detour routers and primary router

Intrusion-Tolerant Clock Synchronization Fault-Tolerant external protocols offer partial protection. But can still be defeated by malicious attack on the communication infrastructure. Must protect individual nodes from malicious attack.

Two-Phase Clock Synchronization Protocol Multiple local clocks at each node. Network round synchronizes a representative clock from each node. Node round synchronizes local clocks. Limited responsiveness to adjustment protects node’s time value. Phase I Phase II

Benefits Strictly better than single-phase protocol: hardened node can temporarily resist complete attack. Compatible with network synchronization protocol: node’s participation or not in second phase is transparent to first phase. Innate responsiveness on the order of the node’s latency. Responsiveness can be adjusted upward to manage tradeoff with protection.

Intrusion-Tolerant Fail-Stop Processors Traditional Fail-Stop Processor magnifies attack Voting strategy does not guarantee fail-stop property Secret sharing techniques offer alternative approach P1P1 P2P2 P3P3 P4P4 C

Secret Sharing Share a secret among N trustees, such that –Any K trustees can reconstruct secret –No set of K-1 trustees can reconstruct secret Variants –Re-shareable secrets –Function sharing –Dynamic re-sharing

Fail-Stop Processor Split a function among N processors As long as K processors are available to compute the function, the processor is able to function If fewer than K processors are available, then shutdown Guarantees fail-stop property without attack magnification

Candidate Targets for Demonstrating RFITS Techniques Location-Aware Wireless Network Service (LAWNS) –geographically targeted unicast and multicast delivery of information to mobile users –range-restricted information dissemination –geographic routing services overlayed over IP routing –DoD applications include marine expeditionary forces, extended littoral battlefield, Future Combat System USCG Secure Information Dissemination System –enables information exchange between on-shore resources and mobile platforms (cutters and aircraft) over dial-up commercial satellite services –DoD applications include OTH intra battle group communication and submarine SATCOM services Agent-based logistics plan monitoring system Network services for split-base operations

Task Schedule