Title: QFIRE pilot report

Release Date: 2013-12-29

Document Date: 2011-06-03

Description: This NSA presentation from 3 June 2011 describes QFIRE, “a consolidated QUANTUMTHEORY platform”, that links the NSA’s enormous passive monitoring operation (TURMOIL) with the active hacking of systems undertaken by the agency’s Tailored Acess Operations division (TURBINE): see the Der Spiegel article, Inside TAO: Documents Reveal Top NSA Hacking Unit, 29 December 2013.

Document: image-584092-galleryV9-icxm.jpg:
Getting Close to the

Forward-based Defense with QFIRE

June 3, 2011

QFIRE Pilot Lead
NSA/Technology Directorate

Derived From: NSA/CSSM 1-52
Dated: 20070108
Declassify On: 20360401image-584093-galleryV9-ccbo.jpg:
Abstract

(TS//SI//REL) The goal of forward-based defense is to detect and mitigate malicious
threats in real-time, as close to the source as possible. It is part of a layered defense
strategy with four concentric zones: endpoint-, perimeter-, aggregation-, and forward-
based defenses. The QUANTUMTHEORY mission leverages NSA's vast system of
distributed passive sensors to detect target traffic and tip a centralized
command/control node. This node assesses the tip and injects a response towards the
target using active TAO assets.

(TS//SI//REL) Extremely powerful CNE/CND/CNA network effects are enabled by
integrating our passive and active systems:
resetting connections
redirecting targets for exploitation
* taking control of IRC bots
" corrupting file uploads/downloads
= More'.

(TS//SI//REL) The success rate of these effects is largely determined by the latency
from tip-to-target. OFIRE is a consolidated QUANTUMTHEORY platform under
development that reduces latencies by co-locating (1) existing passive sensors with (2)
local decision resolution, and (3) the ability to locally inject traffic to achieve the
desired network effect.image-584094-galleryV9-juar.jpg:
Topics

^ Layered Defense Model
=■ NSA TURBULENCE Architecture
^TURMOIL passive SIGINT sensors
^ TURBINE active SIGINT command/control
^ QUANTUMTHEORY

^ Integrating passive/active systems for
CNE/CND/CNA
^ QFIRE

Consolidated low-latency QUANTUMTHEORY
capability under development for forward-based
defenseimage-584095-galleryV9-lblc.jpg:
TOP 5ECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Forward-based Defense
NSA TURBULENCE Architec



TOP SECRET//COMIIimage-584096-galleryV9-pmmx.jpg:
Distributed Sensors: Passive

____r' 11 r--H i /^.

Accesses

& TURMOIL
^ TUTELAGE

lsystems intercept foreign target satellite, microwave,
and cable communications as thev transit the alobe.image-584097-galleryV9-ipfr.jpg:
TURBINE: Active Mission Management

. (TS//SI//REL) TURBINE provides
^^centralized automated command/control
of a large network of active implants

Accesses
TURMOIL
# TUTELAGE
Implants (TAO)image-584098-galleryV9-jsgn.jpg:
SS/

QUANTUMTHEORY

(TS//SI//REL) Extremely powerful CNE/CND/CNA network
effects are enabled by integrating our passive and active systemsT

» Resetting connections (QUANTUMSKY)

* Redirecting targets for exploitation (QUANTUMINSERT)
=> Taking control of IRC bots (QUANTUMBOT)

= Corrupting file uploads/downloads (QUANTUMCOPPER)

(T5//SI//REL) QUANTUMTHEORY dynamically injects packets into a
target's network session to achieve CNE/CND/CNA network effects.

;i Detect: TURMOIL passive sensors detect target traffic & tip TURBINE command/control.
=> Decide: TURBINE mission logic constructs response & forwards to TAO node.

: Inject: TAO node injects response onto Internet towards target.

=• (TS//SI//REL) The propagation delay from tip-to-target determines the
success rate of the network effect. Less Latency = More Success!image-584099-galleryV9-xqko.jpg:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

QFIRE: Consolidate for

trliw-Vlantic/Pacific latency

* QUANTUMTHEORY Path: site ° NSAW-TURBINE ° target

=* (TS//SI//REL) QFIRE collocates at site: sensor, decision logic, and
local/regional injection capability to achieve low latency.

^ Use existing SIGINT sensors for alerting
=* Local decision resolution (local TURBINE)

35 Local/regional injection capability
31 QFIRE Path: site ° target

* (TS//SI//REL) A low latency capability substantially increases the
variety of achievable CNE/CND/CNA network effects and improves
their overall effectiveness.image-584100-galleryV9-uvlt.jpg:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

QFIRE/Forward-Based

Defense:

encies

= Conduct time trials & evaluate operational effectiveness
^ Develop/deploy QFIRE for high-speed SSO cable site(s)

^ Dependencies

" Grow regional shooter infrastructure (more Points-of-Presence)

^ Develop local/regional insertion capability at SSO cable accesses

" Enhance cloud analytics and QUANTUM missions
= Botnet mitigation pilot effort

3BBEBSI i\

BSESnaZZiaSklLimage-584101-galleryV9-svrs.jpg:
QFIRE Components @image-584102-galleryV9-ylox.jpg:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

QFIRE @ SCS:
Physical/Virtual
Network
Architecture

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZLimage-584103-galleryV9-jhol.jpg:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZLimage-584104-galleryV9-rzyg.jpg:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

HTTP Web Client/Server

=> Client initiates request, then server replies
=> TCP socket:

=• Client: TCP SYN
- Server: TCP SYN/ACK
=> HTTP 1.1 Persistent Connection
=■ Client: HTTP GET1
=■ Server: HTTP Responsel

=> Client: HTTP GET2
=■ Server: HTTP Response2image-584105-galleryV9-uocp.jpg:
QUANTUM INSERT: racing
tta&server

- Wait for client to initiate new connection

- Observe server-to-client TCP SYN/ACK
-Shoot! (HTTP Payload)

- Hope to beat server-to-client HTTP Response
- The Challenge:

- Can only win the race on some links/targets

- For many links/targets: too slow to win the race!image-584106-galleryV9-zynb.jpg:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

QUANTUM INSERT: racing

client

erec
SYN/ACK

TCP SYN

snoots on server-to-client TCP

n>

. ____»lose

win'

HTTP GET

server-

TCP

SYN/ACK

HTTP RESPONSE

Ql

HTTP Pawlnarl

CRET//COMINT//REL TO USA, AUS,image-584107-galleryV9-wrgn.jpg:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

QUANTUMTHEORY

*

Node

Ftrction

Mirimm Latency to Total

Reach Next Node (ms) Latency (ms)

»Timing Measurements, QUANTUMTHEORY Workshop, October 2010

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL