mapping the internet and intranets
DESCRIPTION
Mapping the Internet and Intranets. Bill Cheswick [email protected] http://www.cheswick.com. Intranets are out of control Always have been Highlands “day after” scenario Panix DOS attacks a way to trace anonymous packets back!. Internet tomography - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/1.jpg)
1 of 75Mapping the Internet and Intranets
![Page 2: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/2.jpg)
75 slides
Mapping the Internet and
IntranetsBill Cheswick
http://www.cheswick.com
![Page 3: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/3.jpg)
3 of 75Mapping the Internet and Intranets
Motivations• Intranets are out of
control– Always have been
• Highlands “day after” scenario
• Panix DOS attacks– a way to trace
anonymous packets back!
• Internet tomography
• Curiosity about size and growth of the Internet
• Same tools are useful for understanding any large network, including intranets
![Page 4: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/4.jpg)
4 of 75Mapping the Internet and Intranets
Related Work• See Martin Dodge’s cyber geography page
• MIDS - John Quarterman
• CAIDA - kc claffy
• Mercator
• “Measuring ISP topologies with rocketfuel” - 2002– Spring, Mahajan, Wetherall
• Enter “internet map” in your search engine
![Page 5: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/5.jpg)
5 of 75Mapping the Internet and Intranets
The Goals• Long term reliable
collection of Internet and Lucent connectivity information– without annoying
too many people
• Attempt some simple visualizations of the data
– movie of Internet growth!
• Develop tools to probe intranets
• Probe the distant corners of the Internet
![Page 6: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/6.jpg)
6 of 75Mapping the Internet and Intranets
Methods - data collection• Single reliable host connected at the
company perimeter
• Daily full scan of Lucent
• Daily partial scan of Internet, monthly full scan
• One line of text per network scanned– Unix tools
![Page 7: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/7.jpg)
7 of 75Mapping the Internet and Intranets
Methods - network scanning• Obtain master network list
– network lists from Merit, RIPE, APNIC, etc.– BGP data or routing data from customers– hand-assembled list of Yugoslavia/Bosnia
• Run a traceroute-style scan towards each network
• Stop on error, completion, no data– Keep the natives happy
![Page 8: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/8.jpg)
8 of 75Mapping the Internet and Intranets
TTL probes• Used by traceroute and other tools
• Probes toward each target network with increasing TTL
• Probes are ICMP, UDP, TCP to port 80, 25, 139, etc.
• Some people block UDP, others ICMP
![Page 9: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/9.jpg)
9 of 75Mapping the Internet and Intranets
TTL probes
Application level
TCP/UDP
IP
Hardware
Client
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
RouterApplication level
TCP/UDP
IP
Hardware
Server
Hop 1 Hop 2 Hop 3
Hop 3 Hop 4
![Page 10: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/10.jpg)
10 of 75Mapping the Internet and Intranets
Send a packet with a TTL of 1…
Application level
TCP/UDP
IP
Hardware
Client
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
RouterApplication level
TCP/UDP
IP
Hardware
Server
Hop 1 Hop 2 Hop 3
Hop 3 Hop 4
![Page 11: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/11.jpg)
11 of 75Mapping the Internet and Intranets
…and we get the death notice from the first hop
Application level
TCP/UDP
IP
Hardware
Client
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
RouterApplication level
TCP/UDP
IP
Hardware
Server
Hop 1 Hop 2 Hop 3
Hop 3 Hop 4
![Page 12: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/12.jpg)
12 of 75Mapping the Internet and Intranets
Send a packet with a TTL of 2…
Application level
TCP/UDP
IP
Hardware
Client
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
RouterApplication level
TCP/UDP
IP
Hardware
Server
Hop 1 Hop 2 Hop 3
Hop 3 Hop 4
![Page 13: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/13.jpg)
13 of 75Mapping the Internet and Intranets
… and so on …
Application level
TCP/UDP
IP
Hardware
Client
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
RouterApplication level
TCP/UDP
IP
Hardware
Server
Hop 1 Hop 2 Hop 3
Hop 3 Hop 4
![Page 14: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/14.jpg)
14 of 75Mapping the Internet and Intranets
Advantages• We don’t need access (I.e. SNMP) to the
routers
• It’s very fast
• Standard Internet tool: it doesn’t break things
• Insignificant load on the routers
• Not likely to show up on IDS reports
• We can probe with many packet types
![Page 15: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/15.jpg)
15 of 75Mapping the Internet and Intranets
Limitations• Outgoing paths only
• Level 3 (IP) only– ATM networks appear as a single node– This distorts graphical analysis
• Not all routers respond
• Many routers limited to one response per second
![Page 16: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/16.jpg)
16 of 75Mapping the Internet and Intranets
Limitations• View is from scanning host only
• Takes a while to collect alternating paths
• Gentle mapping means missed endpoints
• Imputes non-existent links
![Page 17: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/17.jpg)
17 of 75Mapping the Internet and Intranets
The data can go either way
A
E F
D
B C
![Page 18: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/18.jpg)
18 of 75Mapping the Internet and Intranets
The data can go either way
A
E F
D
B C
![Page 19: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/19.jpg)
19 of 75Mapping the Internet and Intranets
But our test packets only go part of the way
A
E F
D
B C
![Page 20: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/20.jpg)
20 of 75Mapping the Internet and Intranets
We record the hop…
A
E F
D
B C
![Page 21: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/21.jpg)
21 of 75Mapping the Internet and Intranets
The next probe happens to go the other way
A
E F
D
B C
![Page 22: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/22.jpg)
22 of 75Mapping the Internet and Intranets
…and we record the other hop…
A
E F
D
B C
![Page 23: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/23.jpg)
23 of 75Mapping the Internet and Intranets
We’ve imputed a link that doesn’t exist
A
E F
D
B C
![Page 24: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/24.jpg)
24 of 75Mapping the Internet and Intranets
Data collection complaints• Australian parliament was the first to
complain• List of whiners (25 nets)• Military noticed immediately
– Steve Northcutt– arrangements/warnings to DISA and CERT
• These complaints are mostly a thing of the past– Internet background radiation
predominates
![Page 25: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/25.jpg)
25 of 75Mapping the Internet and Intranets
Visualization goals• make a map
– show interesting features– debug our database and collection
methods– hard to fold up
• geography doesn’t matter
• use colors to show further meaning
![Page 26: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/26.jpg)
26 of 75Mapping the Internet and Intranets
![Page 27: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/27.jpg)
27 of 75Mapping the Internet and Intranets
![Page 28: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/28.jpg)
28 of 75Mapping the Internet and Intranets
Infovis state-of-the-art in 1998• 800 nodes was a huge graph
• We had 100,000 nodes
• Use spring-force simulation with lots of empirical tweaks
• Each layout needed 20 hours of Pentium time
![Page 29: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/29.jpg)
29 of 75Mapping the Internet and Intranets
![Page 30: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/30.jpg)
75 slides
Visualization of the layout algorithm
Laying out the Internet graph
![Page 31: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/31.jpg)
31 of 75Mapping the Internet and Intranets
![Page 32: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/32.jpg)
75 slides
Visualization of the layout algorithmLaying out an intranet
![Page 33: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/33.jpg)
33 of 75Mapping the Internet and Intranets
![Page 34: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/34.jpg)
34 of 75Mapping the Internet and Intranets
A simplified map• Minimum distance spanning tree uses 80%
of the data
• Much easier visualization
• Most of the links still valid
• Redundancy is in the middle
![Page 35: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/35.jpg)
35 of 75Mapping the Internet and Intranets
Colored byAS number
![Page 36: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/36.jpg)
36 of 75Mapping the Internet and Intranets
Map Coloring• distance from test host
• IP address– shows communities
• Geographical (by TLD)
• ISPs
• future– timing, firewalls, LSRR blocks
![Page 37: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/37.jpg)
37 of 75Mapping the Internet and Intranets
Colored by IP address!
![Page 38: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/38.jpg)
38 of 75Mapping the Internet and Intranets
Colored by geography
![Page 39: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/39.jpg)
39 of 75Mapping the Internet and Intranets
Colored by ISP
![Page 40: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/40.jpg)
40 of 75Mapping the Internet and Intranets
Colored by distancefrom scanning host
![Page 41: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/41.jpg)
41 of 75Mapping the Internet and Intranets
US militaryreached by ICMP ping
![Page 42: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/42.jpg)
42 of 75Mapping the Internet and Intranets
US military networksreached by UDP
![Page 43: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/43.jpg)
43 of 75Mapping the Internet and Intranets
![Page 44: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/44.jpg)
44 of 75Mapping the Internet and Intranets
![Page 45: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/45.jpg)
45 of 75Mapping the Internet and Intranets
History of the Project• Started in August 1998 at Bell Labs
• April-June 1999: Yugoslavia mapping
• July 2000: first customer intranet scanned
• Sept. 2000: spun off Lumeta from Lucent/Bell Labs
![Page 46: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/46.jpg)
75 slides
YugoslaviaAn unclassified peek at a new
battlefield
![Page 47: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/47.jpg)
47 of 75Mapping the Internet and Intranets
![Page 48: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/48.jpg)
75 slides
Intranets: the rest of the Internet
![Page 49: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/49.jpg)
52 of 75Mapping the Internet and Intranets
The Pretty GoodWall of China
![Page 50: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/50.jpg)
53 of 75Mapping the Internet and Intranets
![Page 51: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/51.jpg)
54 of 75Mapping the Internet and Intranets
![Page 52: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/52.jpg)
55 of 75Mapping the Internet and Intranets
![Page 53: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/53.jpg)
56 of 75Mapping the Internet and Intranets
![Page 54: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/54.jpg)
57 of 75Mapping the Internet and Intranets
![Page 55: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/55.jpg)
58 of 75Mapping the Internet and Intranets
This wasSupposedTo be aVPN
![Page 56: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/56.jpg)
59 of 75Mapping the Internet and Intranets
![Page 57: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/57.jpg)
60 of 75Mapping the Internet and Intranets
![Page 58: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/58.jpg)
75 slides
Anything large enough to be called
an “intranet” isout of control
![Page 59: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/59.jpg)
62 of 75Mapping the Internet and Intranets
Case studies: corp. networksSome intranet statistics
Min MaxIntranet sizes (devices) 7,900 365,000Corporate address space 81,000 745,000,000% devices in unknown address space 0.01% 20.86%
% routers responding to "public" 0.14% 75.50%% routers responding to other 0.00% 52.00%
Outbound host leaks on network 0 176,000% devices with outbound ICMP leaks 0% 79%% devices with outbound UDP leaks 0% 82%
Inbound UDP host leaks 0 5,800% devices with inbound ICMP leaks 0% 11%% devices with inbound UDP leaks 0% 12%% hosts running Windows 36% 84%
![Page 60: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/60.jpg)
75 slides
Leak DetectionLumeta’s “special sauce”
![Page 61: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/61.jpg)
64 of 75Mapping the Internet and Intranets
Leak Detection
Internet intranet
Mapping hostA
Test hostB
mittD
C
• A sends packet to B, with spoofed return address of D
• If B can, it will reply to D with a response, possibly through a different interface
![Page 62: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/62.jpg)
65 of 75Mapping the Internet and Intranets
Outbound Leak Detection
Internet intranet
Mapping hostA
Test hostB
mittD
C
• Packet must be crafted so the response won’t be permitted through the firewall
• A variety of packet types and responses are used
• Either inside or outside address may be discovered
• Packet is labeled so we know where it came from
![Page 63: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/63.jpg)
66 of 75Mapping the Internet and Intranets
Inbound Leak Detection
Internet intranet
Mapping hostA
Test hostB
mittD
C
• This direction is usually more important
• It all depends on the site policy…
• …so many leaks might be just fine.
![Page 64: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/64.jpg)
67 of 75Mapping the Internet and Intranets
Inbound Leak Detection
Internet intranet
Mapping hostA
Test hostB
mittD
C
![Page 65: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/65.jpg)
68 of 75Mapping the Internet and Intranets
Some Lumeta lessons• Reporting is the really hard part
– Converting data to information• “Tell me how we compare to other clients”• Offering a service was good practice, for a
while• The clients want a device• We have >70 Fortune-200 companies and
government agencies as clients• Need-to-have vs. want-to-have
![Page 66: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/66.jpg)
69 of 75Mapping the Internet and Intranets
Honeyd – network emulation• Anti-hacking tools by Niels Provos at
citi.umich.edu
• Can respond as one or more hosts
• I am configuring it to look like an entire client’s network
• Useful for testing and debugging
• Product?
![Page 67: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/67.jpg)
75 slides
Open questions and future work
![Page 68: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/68.jpg)
71 of 75Mapping the Internet and Intranets
How do you analyze a large graph over time?
• Five years of Internet data, mostly unanalyzed
• Alternate paths to a target country
• Sample insight: “Poland was off the Internet yesterday”
• Placement of monitoring tools?
• Compute a display differences between two complex graphs
![Page 69: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/69.jpg)
72 of 75Mapping the Internet and Intranets
Visualizations• These graphs are too big for a piece of paper
• Various approaches available, but none really satisfactory
• Build visualization graph as the data comes in, and as the network evolves
![Page 70: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/70.jpg)
73 of 75Mapping the Internet and Intranets
![Page 71: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/71.jpg)
75 slides
Mapping the Internet and
IntranetsBill Cheswick
http://www.cheswick.com
![Page 72: Mapping the Internet and Intranets](https://reader035.vdocument.in/reader035/viewer/2022062521/56814c52550346895db96512/html5/thumbnails/72.jpg)
75 of 75Mapping the Internet and Intranets