Attack-Resistant Distributed Time Synchronization for Virtual Private Networks

To securely exchange data over public networks, such as the Internet, organizations often utilize Virtual Private Networks (VPNs). However, relying on these potentially large overlay networks makes them vital targets for Denial-of-Service(DoS) attacks. Thus, recent approaches for VPN auto-configuration address DoS resistance by employing distributed management algorithms. Nevertheless, there is no satisfying solution for time synchronization within VPNs that is designed for resistance against DoS as well as internal attacks. For example, NTP relies on hierarchical structures, and cannot comply with DoS resistance. Thus, in this article we present a novel, fully distributed and fault tolerant time synchronization approach, which is designed to be transparently integrated in VPN gateways. Combining diffusion- based round-trip-synchronization with an internal attacker detection, the proposed mechanism is making a contribution to resilient VPN design. Simulation results reveal a robustness against rather powerful internal attackers.