41 slides

Fun with FCC part 15

Home speaker system on 107.3

(and that’s not easy in the NYC/PHL area)

41 slides

Emulating large intranets with

honeydBill Cheswick

ches@lumeta.com

41 slides

This talk was going to be boring…

41 slides

Another Reason Why I Like the Window Seat

Bill Cheswick

41 slides

Mapping the Internet and

Intranets

Steve Branigan, Hal Burch, Bill Cheswick

ches@lumeta.com

Mapping the Internet and intranets slide 6 of 41

41 slides

How To Take the Internet Down for a

weekBill Cheswick

<startup-name>

ches@bell-labs.com

ches@cheswick.com

41 slides

Our digital house

By Kestrel, Terence, Lorette, and Bill Cheswick

41 slides

Emulating large intranets with

honeydBill Cheswick

ches@lumeta.com

Mapping the Internet and intranets slide 10 of 41

Mapping the Internet and intranets slide 11 of 41

Mapping the Internet and intranets slide 12 of 41

Free at last!

• Nagata

• Varley

• Etc.

41 slides

Anything large enough to be called

an “intranet” isout of control

Mapping the Internet and intranets slide 14 of 41

Lumeta

• Spun off from Bell Labs in Sept. 2000

• B round funding last June

• Building a hang glider…

41 slides

Inside the Kimono…

Mapping the Internet and intranets slide 16 of 41

Mapping the Internet and intranets slide 17 of 41

Mapping the Internet and intranets slide 18 of 41

Mapping the Internet and intranets slide 19 of 41

Mapping the Internet and intranets slide 20 of 41

Mapping the Internet and intranets slide 21 of 41

Mapping the Internet and intranets slide 22 of 41

Mapping the Internet and intranets slide 23 of 41

Mapping the Internet and intranets slide 24 of 41

Mapping the Internet and intranets slide 25 of 41

Mapping the Internet and intranets slide 26 of 41

Some intranet statisticsfrom Lumeta clients

Intranet sizes (devices) 7,900 365,000Corporate address space 81,000 745,000,000Address space usage efficiency% devices in unknown address space 0.01% 20.86%

% routers responding to "public" 0.14% 75.50%% routers responding to other 0.00% 52.00%

Outbound host leaks on network 0 176,000% devices with outbound ICMP leaks 0% 79%% devices with outbound UDP leaks 0% 82%

Inbound UDP host leaks 0 5,800% devices with inbound ICMP leaks 0% 11%% devices with inbound UDP leaks 0% 12%

% hosts running Windows 36% 84%

Mapping the Internet and intranets slide 27 of 41

But how do we debug our software?

• We used to use Lucent’s network back when I was working at Bell Labs

• We have a very light touch on our clients’ networks, and they like it that way

• The Bank of Zork (NASDAQ: BOZO) doesn’t want us practicing on their network

Mapping the Internet and intranets slide 28 of 41

Simulation vs emulation

• Simulators run packet flows over imaginary networks

• Often run to test routing and queuing algorithms

• Emulator wants to appear to be the network

Mapping the Internet and intranets slide 29 of 41

What does a chief scientist do?

• Primarily a prima donna

• Certainly not in development– Travel too much to keep deadline

promises– Never was good at all-nighters

• Find a project that would be nice, but nobody is waiting for

• QA was a fine place to look

Mapping the Internet and intranets slide 30 of 41

Honeyd

• Written by Niels Provos at citi.umich.edu

• Name unrelated to, and vexes, Peter Honeyman, also of citi.umich.edu

• Designed to emulate one or more computers in a single host to lure and confuse hackers

• Responds using nmap and other host fingerprinting databases

• User scripts available to emulate specific web and other network server software

Mapping the Internet and intranets slide 31 of 41

Honeyd

• Designed to emulate one or more computers in a single host to lure and confuse hackers

• User scripts available to emulate specific web and other network server software– Microsoft IIS web server– A number of text-based services are

emulated in available scripts

Mapping the Internet and intranets slide 32 of 41

Honeyd

• Host fingerprint identification based on probe databases– Nmap– xprobe

Mapping the Internet and intranets slide 33 of 41

My Honeyd project

• Make honeyd configuration scripts that build our clients’ networks from the data we obtain

• Add UDP servers for– DNS (name service)– SNMP (Simple Network Management

Protocol)

Mapping the Internet and intranets slide 34 of 41

Uses

• Perfect test network for QA– Unchanging….diff the pages– Build pathological network configurations

• Training

• Sales demos

• Could this be a product?

Mapping the Internet and intranets slide 35 of 41

My honeyd scripts

• Generates entire network description for honeyd based on our client data

• You want a 50,000 node network based on real data? No problem. 300,000 nodes? OK

• DNS emulates name server lookups

• Routers respond with SNMP data

Mapping the Internet and intranets slide 36 of 41

How good is the emulation?

• Handles pings and traceroutes with no problem

• Handles “stealth hosts”, routers that don’t issue TTL exceeded messages

• Even does a fair job of simulating latencies

• Emulator for SNMP and DNS queries

• This is good enough for us: we don’t collect other data at present

• Real networks change as you test them.

Mapping the Internet and intranets slide 37 of 41Real

Mapping the Internet and intranets slide 38 of 41Simulated

Mapping the Internet and intranets slide 39 of 41

Certainly not perfect

• There isn’t nearly as much state in our network emulation as there is in a real network

• CPU time becomes an issue, and the emulator is not efficient at the moment– Moore’s law is a big help here

• Host fingerprinting could make the network much more convincing– We are working on it– Could just fake it

Mapping the Internet and intranets slide 40 of 41

Future work

• Many incremental improvements to network simulations

• Honeyd performance improvements

• Might release a large cleansed network configuration for research purposes

41 slides

Emulating large intranets with

honeydBill Cheswick

ches@lumeta.com