Getting Close to the

Forward-based Defense with QFIRE June 3, 2011

QFIRE Pilot Lead NSA/Technology Directorate

Derived From: NSA/CSSM 1-52 Dated: 2007 0 1 0 8 Declassify On: 2036 0 4 0 1

Abstract
(TS//SI//REL) The goal of forward-based defense is to detect and mitigate malicious threats in real-time, as close to the source as possible. It is part of a layered defense strategy with four concentric zones: endpoint-, perimeter-, aggregation-, and forwardbased defenses. The QUANTUMTHEORY mission leverages NSA's vast system of distributed passive sensors to detect target traffic and tip a centralized command/control node. This node assesses the tip and injects a response towards the target using active TAO assets. (TS//SI//REL) Extremely powerful CNE/CND/CNA network effects are enabled by integrating our passive and active systems:
r e s e ttin g co n n ectio n s r e d ire c tin g ta rg e ts fo r e x p lo ita tio n * ta k in g c o n tro l o f IRC b o ts " c o rru p tin g file u p lo a d s /d o w n lo a d s = More'.

(TS//SI//REL) The success rate of these effects is largely determined by the latency from tip-to-target. OFIRE is a consolidated QUANTUMTHEORY platform under development that reduces latencies by co-locating (1) existing passive sensors with (2) local decision resolution, and (3) the ability to locally inject traffic to achieve the desired network effect.

Topics
Layered D efense Model NSA TURBULENCE A rc h ite c tu re ^ TURMOIL passive SIGINT sensors ^ TURBINE active SIGINT command/control QUANTUMTHEORY ** Integrating passive/active systems for CNE/CND/CNA QFIRE = Consolidated low-latency QUANTUMTHEORY capability under developm ent fo r forward-based defense

Forward-based Defense NSA TURBULENCE Archit

D istributed Sensors: Passive

(~ ~

11

r - f - i /^ r

Accesses
& I { TURMOIL TUTELAGE

(S//SI//REL) High-speed passive collection systems intercept foreign target satellite, microwave, and cable communications as thev transit the alobe.

U R w rrr

TURBINE: A ctive Mission M a n a g e m e n t

Accesses
* TURMOIL TUTELAGE Implants (TAO)

. (TS//SI//REL) TURBINE provides ^ ^ c e n tr a liz e d automated command/control of a large network of active implants

QUANTUMTHEORY
(TS//SI//REL) E xtre m e ly p o w e rfu l CNE/CND/CNA n e tw o rk e ffe cts are enabled by in te g ra tin g o u r passive and a c tiv e system s:
=

R e s e ttin g c o n n e c tio n s (QUANTUMSKY) R e d ire c tin g ta r g e ts fo r e x p lo ita tio n (QUANTUMINSERT) T a k in g c o n tro l o f IRC b o ts (Q U AN TU M BO T) C o rru p tin g file u p lo a d s /d o w n lo a d s (QUANTUMCOPPER)

=> =

(T5//SI//REL) QUANTUMTHEORY d y n a m ic a lly in je cts packets in to a ta rg e t's n e tw o rk session to achieve CNE/CND/CNA n e tw o rk effects.
= D e tect: TURMOIL passive sensors d e te c t ta rg e t tra ffic & tip TURBINE com m and/control. = > D e c id e : TURBINE m ission logic con structs response & forw ards to TAO node. 1 In je c t: TAO node injects response onto Inte rn e t tow ards target.

(TS//SI//REL) The p ro p a g a tio n d e la y fro m tip -to -ta rg e t d e te rm in e s th e success ra te o f th e n e tw o rk e ffe c t. L e s s L a te n c y = M o r e S u c c e s s !

T O P S E C R E T //C O M IN T //R E L T O U S A , A U S , C A N , G BR, N ZL

QFIRE: C onsolidate fo r
I T L ^ dntjc/Pacific latency * QUANTUMTHEORY Path: s it e N S A W -T U R B IN E t a r g e t (TS//SI//REL) QFIRE collocates at site: sensor, decision logic, and local/regional injection capability to achieve low latency.
^ Use e x is tin g SIGINT sensors fo r a le rtin g = Local de cisio n re s o lu tio n (local TURBINE) " L o cal/reg iona l in je c tio n c a p a b ility - QFIRE Path: s it e t a r g e t

= (TS//SI//REL) A low latency capability substantially increases the variety of achievable CNE/CND/CNA network effects and improves their overall effectiveness.

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

QFIRE/Forward-Based Defense:
e n c 'e s
= C onduct tim e tria ls & e v a lu a te o p e ra tio n a l effe ctive n e ss

^ D evelop/deploy QFIRE fo r high-speed SSO cable site(s) ^ D e p e n d e n c ie s " Grow regional shooter in fra stru ctu re (m ore Points-of-Presence) 3 Develop local/regional insertion ca p a b ility a t SSO cable accesses " Enhance cloud analytics and QUANTUM missions
B otne t m itig a tio n p ilo t e ffo rt

QFIRE Components @
In te r n e t O p tio n A

SCS Site RMS Inject * i

5 /U C

Cooperative RFRx

- RF-Tx

SCS Site SCIF

In te r n e t O p tio n B

|Eve TURBINE injectComma nd

A r iL

Regional Inject node is on Internet. Local Inject node is collocated with RelayNode in D io d e ^ RelayNode' injectComm and RPC

SCS Site RMS Injec

Non-cooperative Wireless Access Point WAP

In te m e t

NATGW

A or B

Wireless Clients

Wired Clients

T O P S E C R E T //C O M IN T //R E L TO U S A , A U S, C A N , GBR, N Z L

IT x W AN

W C2 -=*------1

S T R A IG H T B IZ Z t,

j f o t if>g Site
S w itc

BLINDDA
S w itch - w ^ C L iTE

restructure

r
QFIRE @ SCS: Physical/Virtual Network Architecture

rTop S ecret S C 5 IW =

t Unclassified TAO C over /e r t n e tw o rk

.... ....
VMl TU R M O IL

vSwitC h

VMware ESX Server 5M BladeCenter HS2 ...I

....

vSv vitc

iTx Local

r
VM 2 TU R B IN E-W L

LowVLAN + VPN r H igh-

Ke
........

t^ M w a r ^ S r Virtual Process( es)

VM 3 TU R B IN E -D B

..
VM 4 S H -H ig h P ro xy JM S-toC hm R PC

\
AC Ls j r

Network Interface iW &w/one-way ACL

AC LS

A u d it/L o g g e r

T O P S E C R E T //C O M IN T //R E L TO U SA , A U S, C A N , G B R , N ZL

T O P S E C R E T //C O M IN T //R E L TO U SA , AUS, CAN , GBR, N ZL

izm ursp aceitim econtm uum M ip settm g allw o uriB raviiyan dluan tum san d stuffs!

I@nsa.ic.g

TO P S E C R E T //C O M IN T //R E L TO USA, AUS, CAN , GBR, N ZL

HTTP Web C lient/S erver

= > C lie n t in itia te s re q u e s t, th e n s e rv e r re p lie s = * TCP s o c k e t: = C lient: TCP SYN - Server: TCP SYN/ACK = > HTTP 1.1 P e rs is te n t C o n n e c tio n = C lient: HTTP GET1 = Server: HTTP R esponsel = >C lient: HTTP GET2 = Server: HTTP Response2

QUANTUM INSERT: racing tta&server

- W a it fo r clie n t to in itia te new connection - Observe server-to-clie n t TCP SYN/ACK -S h o o t! (HTTP Payload) - H op e to beat server-to-client HTTP Response = * T h e C h a lle n g e : - Can only win the race on some links/targets - For m any links/targets: too slow to win th e race!

TO P S E C R E T //C O M IN T //R E L TO U S A , A U S, C A N , G BR, N Z L

QUANTUM INSERT: racing

erec SYN/ACK
client
TCP SYN

shot
HTTP GET

on server-to-client TCP
w in' nL_ . > lose

serverTCP SYN/ACK HTTP RESPONSE

Q l

H T T P P a w ln a r l

C R E T //C O M IN T //R E L TO U S A , A U S,

TO P S E C R E T//C O M IN T//R E L TO USA, AUS, CAN, GBR, NZL

QUANTUMTHEORY
*
Node SAS Sensor nx C&C Diode GowNet Inject Target

Function
Ste Access System: Front end & Layer 0/1 TUMULT: Demux & Layer 2 TURMOIL Layer 3+Passive Sensor/Event Detection ISLANDTRANSPOPT: Enterprise Message Service TURBINE: Gornrrend/Control Decision Logc SURPUUSHANGAR: Hi^i-to-Low Dode TAO Covert Network (MIDDLEMAN) TAO injection implant Destination for CNDCND/CNA network effect

M irim m Latency to Reach Next Node (ms) ? ? 10 120 20 20 70 75 -

Total Latency(ms) ? ? 10 130 150 170 240 315 686

Tim ing M easurem ents, QUANTUMTHEORY W orkshop, O cto ber 2010

TO P S EC R E T//C O M IN T//R E L TO USA, AUS, CAN, GBR, NZL