1 of 75Mapping the Internet and Intranets

75 slides

Mapping the Internet and

IntranetsBill Cheswick

ches@lumeta.com

http://www.cheswick.com

3 of 75Mapping the Internet and Intranets

Motivations• Intranets are out of

control– Always have been

• Highlands “day after” scenario

• Panix DOS attacks– a way to trace

anonymous packets back!

• Internet tomography

• Curiosity about size and growth of the Internet

• Same tools are useful for understanding any large network, including intranets

4 of 75Mapping the Internet and Intranets

Related Work• See Martin Dodge’s cyber geography page

• MIDS - John Quarterman

• CAIDA - kc claffy

• Mercator

• “Measuring ISP topologies with rocketfuel” - 2002–   Spring, Mahajan, Wetherall

• Enter “internet map” in your search engine

5 of 75Mapping the Internet and Intranets

The Goals• Long term reliable

collection of Internet and Lucent connectivity information– without annoying

too many people

• Attempt some simple visualizations of the data

– movie of Internet growth!

• Develop tools to probe intranets

• Probe the distant corners of the Internet

6 of 75Mapping the Internet and Intranets

Methods - data collection• Single reliable host connected at the

company perimeter

• Daily full scan of Lucent

• Daily partial scan of Internet, monthly full scan

• One line of text per network scanned– Unix tools

7 of 75Mapping the Internet and Intranets

Methods - network scanning• Obtain master network list

– network lists from Merit, RIPE, APNIC, etc.– BGP data or routing data from customers– hand-assembled list of Yugoslavia/Bosnia

• Run a traceroute-style scan towards each network

• Stop on error, completion, no data– Keep the natives happy

8 of 75Mapping the Internet and Intranets

TTL probes• Used by traceroute and other tools

• Probes toward each target network with increasing TTL

• Probes are ICMP, UDP, TCP to port 80, 25, 139, etc.

• Some people block UDP, others ICMP

9 of 75Mapping the Internet and Intranets

TTL probes

Application level

TCP/UDP

IP

Hardware

Client

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

RouterApplication level

TCP/UDP

IP

Hardware

Server

Hop 1 Hop 2 Hop 3

Hop 3 Hop 4

10 of 75Mapping the Internet and Intranets

Send a packet with a TTL of 1…

Application level

TCP/UDP

IP

Hardware

Client

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

RouterApplication level

TCP/UDP

IP

Hardware

Server

Hop 1 Hop 2 Hop 3

Hop 3 Hop 4

11 of 75Mapping the Internet and Intranets

…and we get the death notice from the first hop

Application level

TCP/UDP

IP

Hardware

Client

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

RouterApplication level

TCP/UDP

IP

Hardware

Server

Hop 1 Hop 2 Hop 3

Hop 3 Hop 4

12 of 75Mapping the Internet and Intranets

Send a packet with a TTL of 2…

Application level

TCP/UDP

IP

Hardware

Client

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

RouterApplication level

TCP/UDP

IP

Hardware

Server

Hop 1 Hop 2 Hop 3

Hop 3 Hop 4

13 of 75Mapping the Internet and Intranets

… and so on …

Application level

TCP/UDP

IP

Hardware

Client

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

RouterApplication level

TCP/UDP

IP

Hardware

Server

Hop 1 Hop 2 Hop 3

Hop 3 Hop 4

14 of 75Mapping the Internet and Intranets

Advantages• We don’t need access (I.e. SNMP) to the

routers

• It’s very fast

• Standard Internet tool: it doesn’t break things

• Insignificant load on the routers

• Not likely to show up on IDS reports

• We can probe with many packet types

15 of 75Mapping the Internet and Intranets

Limitations• Outgoing paths only

• Level 3 (IP) only– ATM networks appear as a single node– This distorts graphical analysis

• Not all routers respond

• Many routers limited to one response per second

16 of 75Mapping the Internet and Intranets

Limitations• View is from scanning host only

• Takes a while to collect alternating paths

• Gentle mapping means missed endpoints

• Imputes non-existent links

17 of 75Mapping the Internet and Intranets

The data can go either way

A

E F

D

B C

18 of 75Mapping the Internet and Intranets

The data can go either way

A

E F

D

B C

19 of 75Mapping the Internet and Intranets

But our test packets only go part of the way

A

E F

D

B C

20 of 75Mapping the Internet and Intranets

We record the hop…

A

E F

D

B C

21 of 75Mapping the Internet and Intranets

The next probe happens to go the other way

A

E F

D

B C

22 of 75Mapping the Internet and Intranets

…and we record the other hop…

A

E F

D

B C

23 of 75Mapping the Internet and Intranets

We’ve imputed a link that doesn’t exist

A

E F

D

B C

24 of 75Mapping the Internet and Intranets

Data collection complaints• Australian parliament was the first to

complain• List of whiners (25 nets)• Military noticed immediately

– Steve Northcutt– arrangements/warnings to DISA and CERT

• These complaints are mostly a thing of the past– Internet background radiation

predominates

25 of 75Mapping the Internet and Intranets

Visualization goals• make a map

– show interesting features– debug our database and collection

methods– hard to fold up

• geography doesn’t matter

• use colors to show further meaning

26 of 75Mapping the Internet and Intranets

27 of 75Mapping the Internet and Intranets

28 of 75Mapping the Internet and Intranets

Infovis state-of-the-art in 1998• 800 nodes was a huge graph

• We had 100,000 nodes

• Use spring-force simulation with lots of empirical tweaks

• Each layout needed 20 hours of Pentium time

29 of 75Mapping the Internet and Intranets

75 slides

Visualization of the layout algorithm

Laying out the Internet graph

31 of 75Mapping the Internet and Intranets

75 slides

Visualization of the layout algorithmLaying out an intranet

33 of 75Mapping the Internet and Intranets

34 of 75Mapping the Internet and Intranets

A simplified map• Minimum distance spanning tree uses 80%

of the data

• Much easier visualization

• Most of the links still valid

• Redundancy is in the middle

35 of 75Mapping the Internet and Intranets

Colored byAS number

36 of 75Mapping the Internet and Intranets

Map Coloring• distance from test host

• IP address– shows communities

• Geographical (by TLD)

• ISPs

• future– timing, firewalls, LSRR blocks

37 of 75Mapping the Internet and Intranets

Colored by IP address!

38 of 75Mapping the Internet and Intranets

Colored by geography

39 of 75Mapping the Internet and Intranets

Colored by ISP

40 of 75Mapping the Internet and Intranets

Colored by distancefrom scanning host

41 of 75Mapping the Internet and Intranets

US militaryreached by ICMP ping

42 of 75Mapping the Internet and Intranets

US military networksreached by UDP

43 of 75Mapping the Internet and Intranets

44 of 75Mapping the Internet and Intranets

45 of 75Mapping the Internet and Intranets

History of the Project• Started in August 1998 at Bell Labs

• April-June 1999: Yugoslavia mapping

• July 2000: first customer intranet scanned

• Sept. 2000: spun off Lumeta from Lucent/Bell Labs

75 slides

YugoslaviaAn unclassified peek at a new

battlefield

47 of 75Mapping the Internet and Intranets

75 slides

Intranets: the rest of the Internet

52 of 75Mapping the Internet and Intranets

The Pretty GoodWall of China

53 of 75Mapping the Internet and Intranets

54 of 75Mapping the Internet and Intranets

55 of 75Mapping the Internet and Intranets

56 of 75Mapping the Internet and Intranets

57 of 75Mapping the Internet and Intranets

58 of 75Mapping the Internet and Intranets

This wasSupposedTo be aVPN

59 of 75Mapping the Internet and Intranets

60 of 75Mapping the Internet and Intranets

75 slides

Anything large enough to be called

an “intranet” isout of control

62 of 75Mapping the Internet and Intranets

Case studies: corp. networksSome intranet statistics

Min MaxIntranet sizes (devices) 7,900 365,000Corporate address space 81,000 745,000,000% devices in unknown address space 0.01% 20.86%

% routers responding to "public" 0.14% 75.50%% routers responding to other 0.00% 52.00%

Outbound host leaks on network 0 176,000% devices with outbound ICMP leaks 0% 79%% devices with outbound UDP leaks 0% 82%

Inbound UDP host leaks 0 5,800% devices with inbound ICMP leaks 0% 11%% devices with inbound UDP leaks 0% 12%% hosts running Windows 36% 84%

75 slides

Leak DetectionLumeta’s “special sauce”

64 of 75Mapping the Internet and Intranets

Leak Detection

Internet intranet

Mapping hostA

Test hostB

mittD

C

• A sends packet to B, with spoofed return address of D

• If B can, it will reply to D with a response, possibly through a different interface

65 of 75Mapping the Internet and Intranets

Outbound Leak Detection

Internet intranet

Mapping hostA

Test hostB

mittD

C

• Packet must be crafted so the response won’t be permitted through the firewall

• A variety of packet types and responses are used

• Either inside or outside address may be discovered

• Packet is labeled so we know where it came from

66 of 75Mapping the Internet and Intranets

Inbound Leak Detection

Internet intranet

Mapping hostA

Test hostB

mittD

C

• This direction is usually more important

• It all depends on the site policy…

• …so many leaks might be just fine.

67 of 75Mapping the Internet and Intranets

Inbound Leak Detection

Internet intranet

Mapping hostA

Test hostB

mittD

C

68 of 75Mapping the Internet and Intranets

Some Lumeta lessons• Reporting is the really hard part

– Converting data to information• “Tell me how we compare to other clients”• Offering a service was good practice, for a

while• The clients want a device• We have >70 Fortune-200 companies and

government agencies as clients• Need-to-have vs. want-to-have

69 of 75Mapping the Internet and Intranets

Honeyd – network emulation• Anti-hacking tools by Niels Provos at

citi.umich.edu

• Can respond as one or more hosts

• I am configuring it to look like an entire client’s network

• Useful for testing and debugging

• Product?

75 slides

Open questions and future work

71 of 75Mapping the Internet and Intranets

How do you analyze a large graph over time?

• Five years of Internet data, mostly unanalyzed

• Alternate paths to a target country

• Sample insight: “Poland was off the Internet yesterday”

• Placement of monitoring tools?

• Compute a display differences between two complex graphs

72 of 75Mapping the Internet and Intranets

Visualizations• These graphs are too big for a piece of paper

• Various approaches available, but none really satisfactory

• Build visualization graph as the data comes in, and as the network evolves

73 of 75Mapping the Internet and Intranets

75 slides

Mapping the Internet and

IntranetsBill Cheswick

ches@lumeta.com

http://www.cheswick.com

75 of 75Mapping the Internet and Intranets