randomized failover intrusion tolerant systems rfits l.
Skip this Video
Loading SlideShow in 5 Seconds..
Randomized Failover Intrusion-Tolerant Systems (RFITS) PowerPoint Presentation
Download Presentation
Randomized Failover Intrusion-Tolerant Systems (RFITS)

Loading in 2 Seconds...

play fullscreen
1 / 15

Randomized Failover Intrusion-Tolerant Systems (RFITS) - PowerPoint PPT Presentation

  • Uploaded on

Randomized Failover Intrusion-Tolerant Systems (RFITS). Ranga Ramanujan, Maher Kaddoura, Carla Marceau, Clint Sanders, Doug Harper, David Baca Architecture Technology Corporation (ATC) ATC-NY (formerly Odyssey Research Associates) DARPA OASIS PI Meeting August 20, 2002. Project Introduction.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Randomized Failover Intrusion-Tolerant Systems (RFITS)' - base

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
randomized failover intrusion tolerant systems rfits

Randomized Failover Intrusion-Tolerant Systems (RFITS)

Ranga Ramanujan, Maher Kaddoura, Carla Marceau, Clint Sanders, Doug Harper, David Baca

Architecture Technology Corporation (ATC)

ATC-NY (formerly Odyssey Research Associates)


August 20, 2002

project introduction
Project Introduction
  • Objective
    • Demonstrate viability of randomized failover concept for building survivable network applications
  • What is randomized failover?
    • Approach for system survivability based on the notion that attackers can be thwarted by making the failover process invoked by the system upon detection of an attack appear unpredictable or “random”
      • large failover space makes it difficult for attacker to acquire knowledge of system state needed to adapt attack
  • Focus on network borne denial-of-service attacks
    • Flooding (packet, service request)
    • Host takedown
project introduction cont d
Project Introduction (Cont’d)
  • Accomplishment to date
    • Developed handbook of survivability design patterns
      • Survivable information transport services
      • Survivable server groups
    • Applied selected design patterns to develop VPNshield
    • Completed prototype implementation of VPNshield
      • Demo at DARPAtech 2002
      • Network 2002 paper
    • Completed initial prototype of FlowShield
    • Developed design of DoS-resistant JMS
    • Participated in Peer Review Validation of VPNshield
flowshield design goals
FlowShield Design Goals
  • Protect mission-critical information flows from flooding DoS attacks
    • protection on per packet flow basis
    • guaranteed share of access link bandwidth for protected packet flows
    • application transparent
    • no changes to existing core network infrastructure
  • Supplement infrastructure based DDoS defenses
flowshield approach overview
FlowShield Approach Overview
  • Packet flows are uniquely identified by their flow labels ( source IP addr., dest. IP address)
  • For each protected flow, the FlowShield endpoint reserves a fraction of the access link bandwidth
  • Upon detection of a flooding attack, FlowShield endpoints “transmute” the label of the protected flow
  • Access link reservation for old flow label is canceled. Reservation installed for new label
flowshield appliance based implementation
FlowShield: Appliance Based Implementation
  • FlowShield appliance at boundary of edge network embeds mechanisms for
    • detection of flooding attacks
    • flow label transformation and link re-provisioning
flowshield appliance based implementation cont d
FlowShield: Appliance Based Implementation (Cont’d)
  • FlowShield POP appliance(s) associated with each edge appliance
    • serves as tunnel concatenation device
assumptions about threat environment
Assumptions About Threat Environment
  • Flooding attacks are launched from the edge of the shared, public network. Attacker does not have access to core of the shared network.
  • Shared secrets between FlowShield appliances are adequately protected against compromise
  • Volume of traffic may be sufficient to inundate access link but not sufficient to disrupt operation of service provider network
applying rfits techniques to protect jms from flooding attacks
Applying RFITS Techniques to Protect JMS from Flooding Attacks
  • The Java Message Service (JMS) specification defines a messaging interface for Java applications.
    • It supports both queuing and publish/subscribe.
  • Message-based applications are vulnerable to denial of service attacks at the messaging level.
    • Attacker can flood message service with spurious messages.
    • Prevents application from acting on real messages.
  • Such attacks may not be visible at the network level
    • “Life-cycle” attacks
    • Rogue JMS client planted by insider
      • Access control may not prevent attacks
    • Programming errors
jms channel partitioning13
JMS Channel Partitioning
  • To survive DOS attack by client

When client requests topic for “T” through JNDI interface, assign alias topic Tk instead of T itself.

    • Maintain the Tk  T partition mapping at the service center.
    • If client launches DOS attack on topic Tk, invalidate topic Tk and refuse new topic requests from client host associated with topic Tk.
  • Other message service clients continue to function
    • Clients communicating through other aliases for T
    • New clients requesting topic for “T” from other hosts
  • Why does this work?
    • Each client is segregated into a distinguishable topic, which can be invalidated selectively.
  • This defense is also effective for message queues.
distributed jms with local topic aliases
Distributed JMS with Local Topic Aliases

Message to T

Y manages topic T

Message to T2

Delivered from T4

conclusion and future plans
Conclusion and Future Plans
  • Demonstrated application of RFITS survivability design patterns to protect information flows at different levels of granularity
    • aggregated flows (VPNshield)
    • individual flows (FlowShield)
    • pub/sub messaging (DoS-resistant JMS)
  • Planned work
    • Prototype implementation of FlowShield appliances
    • FlowShield customization for CECOM SMS
    • Refine and extend design of DoS-resistant JMS