1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill...
-
Upload
victor-burden -
Category
Documents
-
view
214 -
download
0
Transcript of 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill...
1 of 75Mapping the Internet and Intranets
3 of 75Mapping the Internet and Intranets
Motivations
• Intranets are out of control– Always have been
• Highlands “day after” scenario
• Panix DOS attacks– a way to trace
anonymous packets back!
• Internet tomography
• Curiosity about size and growth of the Internet
• Same tools are useful for understanding any large network, including intranets
4 of 75Mapping the Internet and Intranets
Related Work
• See Martin Dodge’s cyber geography page
• MIDS - John Quarterman
• CAIDA - kc claffy
• Mercator
• “Measuring ISP topologies with rocketfuel” - 2002– Spring, Mahajan, Wetherall
• Enter “internet map” in your search engine
5 of 75Mapping the Internet and Intranets
The Goals
• Long term reliable collection of Internet and Lucent connectivity information– without annoying
too many people
• Attempt some simple visualizations of the data
– movie of Internet growth!
• Develop tools to probe intranets
• Probe the distant corners of the Internet
6 of 75Mapping the Internet and Intranets
Methods - data collection
• Single reliable host connected at the company perimeter
• Daily full scan of Lucent
• Daily partial scan of Internet, monthly full scan
• One line of text per network scanned– Unix tools
7 of 75Mapping the Internet and Intranets
Methods - network scanning
• Obtain master network list– network lists from Merit, RIPE, APNIC, etc.– BGP data or routing data from customers– hand-assembled list of Yugoslavia/Bosnia
• Run a traceroute-style scan towards each network
• Stop on error, completion, no data– Keep the natives happy
8 of 75Mapping the Internet and Intranets
TTL probes
• Used by traceroute and other tools
• Probes toward each target network with increasing TTL
• Probes are ICMP, UDP, TCP to port 80, 25, 139, etc.
• Some people block UDP, others ICMP
9 of 75Mapping the Internet and Intranets
TTL probes
Application level
TCP/UDP
IP
Hardware
Client
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
Application level
TCP/UDP
IP
Hardware
Server
Hop 1 Hop 2 Hop 3
Hop 3Hop 4
10 of 75Mapping the Internet and Intranets
Send a packet with a TTL of 1…
Application level
TCP/UDP
IP
Hardware
Client
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
Application level
TCP/UDP
IP
Hardware
Server
Hop 1 Hop 2 Hop 3
Hop 3Hop 4
11 of 75Mapping the Internet and Intranets
…and we get the death notice from the first hop
Application level
TCP/UDP
IP
Hardware
Client
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
Application level
TCP/UDP
IP
Hardware
Server
Hop 1 Hop 2 Hop 3
Hop 3Hop 4
12 of 75Mapping the Internet and Intranets
Send a packet with a TTL of 2…
Application level
TCP/UDP
IP
Hardware
Client
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
Application level
TCP/UDP
IP
Hardware
Server
Hop 1 Hop 2 Hop 3
Hop 3Hop 4
13 of 75Mapping the Internet and Intranets
… and so on …
Application level
TCP/UDP
IP
Hardware
Client
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
Application level
TCP/UDP
IP
Hardware
Server
Hop 1 Hop 2 Hop 3
Hop 3Hop 4
14 of 75Mapping the Internet and Intranets
Advantages
• We don’t need access (I.e. SNMP) to the routers
• It’s very fast
• Standard Internet tool: it doesn’t break things
• Insignificant load on the routers
• Not likely to show up on IDS reports
• We can probe with many packet types
15 of 75Mapping the Internet and Intranets
Limitations
• Outgoing paths only
• Level 3 (IP) only– ATM networks appear as a single node– This distorts graphical analysis
• Not all routers respond
• Many routers limited to one response per second
16 of 75Mapping the Internet and Intranets
Limitations
• View is from scanning host only
• Takes a while to collect alternating paths
• Gentle mapping means missed endpoints
• Imputes non-existent links
17 of 75Mapping the Internet and Intranets
The data can go either way
A
E F
D
B C
18 of 75Mapping the Internet and Intranets
The data can go either way
A
E F
D
B C
19 of 75Mapping the Internet and Intranets
But our test packets only go part of the way
A
E F
D
B C
20 of 75Mapping the Internet and Intranets
We record the hop…
A
E F
D
B C
21 of 75Mapping the Internet and Intranets
The next probe happens to go the other way
A
E F
D
B C
22 of 75Mapping the Internet and Intranets
…and we record the other hop…
A
E F
D
B C
23 of 75Mapping the Internet and Intranets
We’ve imputed a link that doesn’t exist
A
E F
D
B C
24 of 75Mapping the Internet and Intranets
Data collection complaints
• Australian parliament was the first to complain
• List of whiners (25 nets)
• Military noticed immediately– Steve Northcutt– arrangements/warnings to DISA and CERT
• These complaints are mostly a thing of the past– Internet background radiation
predominates
25 of 75Mapping the Internet and Intranets
Visualization goals
• make a map– show interesting features– debug our database and collection
methods– hard to fold up
• geography doesn’t matter
• use colors to show further meaning
26 of 75Mapping the Internet and Intranets
27 of 75Mapping the Internet and Intranets
28 of 75Mapping the Internet and Intranets
Infovis state-of-the-art in 1998
• 800 nodes was a huge graph
• We had 100,000 nodes
• Use spring-force simulation with lots of empirical tweaks
• Each layout needed 20 hours of Pentium time
29 of 75Mapping the Internet and Intranets
75 slides
Visualization of the layout algorithm
Laying out the Internet graph
31 of 75Mapping the Internet and Intranets
75 slides
Visualization of the layout algorithm
Laying out an intranet
33 of 75Mapping the Internet and Intranets
34 of 75Mapping the Internet and Intranets
A simplified map
• Minimum distance spanning tree uses 80% of the data
• Much easier visualization
• Most of the links still valid
• Redundancy is in the middle
35 of 75Mapping the Internet and Intranets
Colored byAS number
36 of 75Mapping the Internet and Intranets
Map Coloring
• distance from test host
• IP address– shows communities
• Geographical (by TLD)
• ISPs
• future– timing, firewalls, LSRR blocks
37 of 75Mapping the Internet and Intranets
Colored by IP address!
38 of 75Mapping the Internet and Intranets
Colored by geography
39 of 75Mapping the Internet and Intranets
Colored by ISP
40 of 75Mapping the Internet and Intranets
Colored by distancefrom scanning host
41 of 75Mapping the Internet and Intranets
US militaryreached by ICMP ping
42 of 75Mapping the Internet and Intranets
US military networksreached by UDP
43 of 75Mapping the Internet and Intranets
44 of 75Mapping the Internet and Intranets
45 of 75Mapping the Internet and Intranets
History of the Project
• Started in August 1998 at Bell Labs
• April-June 1999: Yugoslavia mapping
• July 2000: first customer intranet scanned
• Sept. 2000: spun off Lumeta from Lucent/Bell Labs
75 slides
Yugoslavia
An unclassified peek at a new battlefield
47 of 75Mapping the Internet and Intranets
75 slides
Un film par Steve “Hollywood” Branigan...
49 of 75Mapping the Internet and Intranets
75 slides
fin
75 slides
Intranets: the rest of the Internet
52 of 75Mapping the Internet and Intranets
The Pretty GoodWall of China
53 of 75Mapping the Internet and Intranets
54 of 75Mapping the Internet and Intranets
55 of 75Mapping the Internet and Intranets
56 of 75Mapping the Internet and Intranets
57 of 75Mapping the Internet and Intranets
58 of 75Mapping the Internet and Intranets
This wasSupposedTo be aVPN
59 of 75Mapping the Internet and Intranets
60 of 75Mapping the Internet and Intranets
75 slides
Anything large enough to be called
an “intranet” isout of control
62 of 75Mapping the Internet and Intranets
Case studies: corp. networksSome intranet statistics
Min MaxIntranet sizes (devices) 7,900 365,000Corporate address space 81,000 745,000,000% devices in unknown address space 0.01% 20.86%
% routers responding to "public" 0.14% 75.50%% routers responding to other 0.00% 52.00%
Outbound host leaks on network 0 176,000% devices with outbound ICMP leaks 0% 79%% devices with outbound UDP leaks 0% 82%
Inbound UDP host leaks 0 5,800% devices with inbound ICMP leaks 0% 11%% devices with inbound UDP leaks 0% 12%% hosts running Windows 36% 84%
75 slides
Leak Detection
Lumeta’s “special sauce”
64 of 75Mapping the Internet and Intranets
The second technology: host leak detection
• Developed to find hosts that have access to both intranet and Internet
• Or across any privilege boundary
• Leaking hosts do not route between the networks
• May be a dual-homed host
• Not always a bad thing
• Technology didn’t exist to find these
65 of 75Mapping the Internet and Intranets
Possible host leaks
• Miss-configured telecommuters connecting remotely
• VPNs that are broken
• DMZ hosts with too much access
• Business partner networks
• Internet connections by rogue managers
• Modem links to ISPs
66 of 75Mapping the Internet and Intranets
Leak results
• Found home web businesses
• At least two clients have tapped leaks– One made front page news
• From the military: “the republic is a little safer”
67 of 75Mapping the Internet and Intranets
Leak Detection Prerequisites
• List of potential leakers: obtained by census
• Access to intranet
• Simultaneous availability of a “mitt”
68 of 75Mapping the Internet and Intranets
Leak Detection Layout
Internet intranet
Mapping hostA
Test hostB
mittD
C
• Mapping host with address A is connected to the intranet
• Mitt with address D has Internet access
• Mapping host and mitt are currently the same host, with two interfaces
69 of 75Mapping the Internet and Intranets
Leak Detection
Internet intranet
Mapping hostA
Test hostB
mittD
C
• Test host has known address B on the intranet
• It was found via census
• We are testing for unauthorized access to the Internet, possibly through a different address, C
70 of 75Mapping the Internet and Intranets
Leak Detection
Internet intranet
Mapping hostA
Test hostB
mittD
C
• A sends packet to B, with spoofed return address of D
• If B can, it will reply to D with a response, possibly through a different interface
71 of 75Mapping the Internet and Intranets
Leak Detection
Internet intranet
Mapping hostA
Test hostB
mittD
C
• Packet must be crafted so the response won’t be permitted through the firewall
• A variety of packet types and responses are used
• Either inside or outside address may be discovered
• Packet is labeled so we know where it came from
72 of 75Mapping the Internet and Intranets
Inbound Leak Detection
Internet intranet
Mapping hostA
Test hostB
mittD
C
• This direction is usually more important
• It all depends on the site policy…
• …so many leaks might be just fine.
73 of 75Mapping the Internet and Intranets
Inbound Leak Detection
Internet intranet
Mapping hostA
Test hostB
mittD
C
74 of 75Mapping the Internet and Intranets
Honeyd – network emulation
• Anti-hacking tools by Niels Provos at citi.umich.edu
• Can respond as one or more hosts
• I am configuring it to look like an entire client’s network
• Useful for testing and debugging
• Product?
75 of 75Mapping the Internet and Intranets
Some Lumeta lessons
• Reporting is the really hard part– Converting data to information
• “Tell me how we compare to other clients”
• Offering a service was good practice, for a while
• We have >70 Fortune-200 companies and government agencies as clients
75 slides
Open questions and future work
77 of 75Mapping the Internet and Intranets
How do you analyze a large graph over time?
• Five years of Internet data, mostly unanalyzed
• Alternate paths to a target country
• Sample insight: “Poland was off the Internet yesterday”
• Placement of monitoring tools?
• Compute a display differences between two complex graphs
78 of 75Mapping the Internet and Intranets
Visualizations
• These graphs are too big for a piece of paper
• Various approaches available, but none really satisfactory
• Build visualization graph as the data comes in, and as the network evolves
79 of 75Mapping the Internet and Intranets
81 of 75Mapping the Internet and Intranets