1 of 75Mapping the Internet and Intranets

75 slides Mapping the Internet and Intranets Bill Cheswick

3 of 75Mapping the Internet and Intranets Motivations Intranets are out of control – Always have been Highlands day after scenario Panix DOS attacks – a way to trace anonymous packets back! Internet tomography Curiosity about size and growth of the Internet Same tools are useful for understanding any large network, including intranets

4 of 75Mapping the Internet and Intranets Related Work See Martin Dodges cyber geography page MIDS - John Quarterman CAIDA - kc claffy Mercator Measuring ISP topologies with rocketfuel – Spring, Mahajan, WetherallSpringMahajanWetherall Enter internet map in your search engine

5 of 75Mapping the Internet and Intranets The Goals Long term reliable collection of Internet and Lucent connectivity information – without annoying too many people Attempt some simple visualizations of the data – movie of Internet growth! Develop tools to probe intranets Probe the distant corners of the Internet

6 of 75Mapping the Internet and Intranets Methods - data collection Single reliable host connected at the company perimeter Daily full scan of Lucent Daily partial scan of Internet, monthly full scan One line of text per network scanned – Unix tools

7 of 75Mapping the Internet and Intranets Methods - network scanning Obtain master network list – network lists from Merit, RIPE, APNIC, etc. – BGP data or routing data from customers – hand-assembled list of Yugoslavia/Bosnia Run a traceroute-style scan towards each network Stop on error, completion, no data – Keep the natives happy

8 of 75Mapping the Internet and Intranets TTL probes Used by traceroute and other tools Probes toward each target network with increasing TTL Probes are ICMP, UDP, TCP to port 80, 25, 139, etc. Some people block UDP, others ICMP

9 of 75Mapping the Internet and Intranets TTL probes Application level TCP/UDP IP Hardware Client IP Hardware Router IP Hardware Router IP Hardware Router IP Hardware Router IP Hardware Router Application level TCP/UDP IP Hardware Server Hop 1Hop 2 Hop 3 Hop 4

10 of 75Mapping the Internet and Intranets Send a packet with a TTL of 1… Application level TCP/UDP IP Hardware Client IP Hardware Router IP Hardware Router IP Hardware Router IP Hardware Router IP Hardware Router Application level TCP/UDP IP Hardware Server Hop 1Hop 2 Hop 3 Hop 4

11 of 75Mapping the Internet and Intranets …and we get the death notice from the first hop Application level TCP/UDP IP Hardware Client IP Hardware Router IP Hardware Router IP Hardware Router IP Hardware Router IP Hardware Router Application level TCP/UDP IP Hardware Server Hop 1Hop 2 Hop 3 Hop 4

12 of 75Mapping the Internet and Intranets Send a packet with a TTL of 2… Application level TCP/UDP IP Hardware Client IP Hardware Router IP Hardware Router IP Hardware Router IP Hardware Router IP Hardware Router Application level TCP/UDP IP Hardware Server Hop 1Hop 2 Hop 3 Hop 4

13 of 75Mapping the Internet and Intranets … and so on … Application level TCP/UDP IP Hardware Client IP Hardware Router IP Hardware Router IP Hardware Router IP Hardware Router IP Hardware Router Application level TCP/UDP IP Hardware Server Hop 1Hop 2 Hop 3 Hop 4

14 of 75Mapping the Internet and Intranets Advantages We dont need access (I.e. SNMP) to the routers Its very fast Standard Internet tool: it doesnt break things Insignificant load on the routers Not likely to show up on IDS reports We can probe with many packet types

15 of 75Mapping the Internet and Intranets Limitations Outgoing paths only Level 3 (IP) only – ATM networks appear as a single node – This distorts graphical analysis Not all routers respond Many routers limited to one response per second

16 of 75Mapping the Internet and Intranets Limitations View is from scanning host only Takes a while to collect alternating paths Gentle mapping means missed endpoints Imputes non-existent links

17 of 75Mapping the Internet and Intranets The data can go either way A EF D BC

18 of 75Mapping the Internet and Intranets The data can go either way A EF D BC

19 of 75Mapping the Internet and Intranets But our test packets only go part of the way A EF D BC

20 of 75Mapping the Internet and Intranets We record the hop… A EF D BC

21 of 75Mapping the Internet and Intranets The next probe happens to go the other way A EF D BC

22 of 75Mapping the Internet and Intranets …and we record the other hop… A EF D BC

23 of 75Mapping the Internet and Intranets Weve imputed a link that doesnt exist A EF D BC

24 of 75Mapping the Internet and Intranets Data collection complaints Australian parliament was the first to complain List of whiners (25 nets) Military noticed immediately – Steve Northcutt – arrangements/warnings to DISA and CERT These complaints are mostly a thing of the past – Internet background radiation predominates

25 of 75Mapping the Internet and Intranets Visualization goals make a map – show interesting features – debug our database and collection methods – hard to fold up geography doesnt matter use colors to show further meaning

26 of 75Mapping the Internet and Intranets

27 of 75Mapping the Internet and Intranets

28 of 75Mapping the Internet and Intranets Infovis state-of-the-art in nodes was a huge graph We had 100,000 nodes Use spring-force simulation with lots of empirical tweaks Each layout needed 20 hours of Pentium time

29 of 75Mapping the Internet and Intranets

75 slides Visualization of the layout algorithm Laying out the Internet graph

31 of 75Mapping the Internet and Intranets

75 slides Visualization of the layout algorithm Laying out an intranet

33 of 75Mapping the Internet and Intranets

34 of 75Mapping the Internet and Intranets A simplified map Minimum distance spanning tree uses 80% of the data Much easier visualization Most of the links still valid Redundancy is in the middle

35 of 75Mapping the Internet and Intranets Colored by AS number

36 of 75Mapping the Internet and Intranets Map Coloring distance from test host IP address – shows communities Geographical (by TLD) ISPs future – timing, firewalls, LSRR blocks

37 of 75Mapping the Internet and Intranets Colored by IP address!

38 of 75Mapping the Internet and Intranets Colored by geography

39 of 75Mapping the Internet and Intranets Colored by ISP

40 of 75Mapping the Internet and Intranets Colored by distance from scanning host

41 of 75Mapping the Internet and Intranets US military reached by ICMP ping

42 of 75Mapping the Internet and Intranets US military networks reached by UDP

43 of 75Mapping the Internet and Intranets

44 of 75Mapping the Internet and Intranets

45 of 75Mapping the Internet and Intranets History of the Project Started in August 1998 at Bell Labs April-June 1999: Yugoslavia mapping July 2000: first customer intranet scanned Sept. 2000: spun off Lumeta from Lucent/Bell Labs

75 slides Yugoslavia An unclassified peek at a new battlefield

47 of 75Mapping the Internet and Intranets

75 slides Un film par Steve Hollywood Branigan...

49 of 75Mapping the Internet and Intranets

75 slides fin

75 slides Intranets: the rest of the Internet

52 of 75Mapping the Internet and Intranets The Pretty Good Wall of China

53 of 75Mapping the Internet and Intranets

54 of 75Mapping the Internet and Intranets

55 of 75Mapping the Internet and Intranets

56 of 75Mapping the Internet and Intranets

57 of 75Mapping the Internet and Intranets

58 of 75Mapping the Internet and Intranets This was Supposed To be a VPN

59 of 75Mapping the Internet and Intranets

60 of 75Mapping the Internet and Intranets

75 slides Anything large enough to be called an intranet is out of control

62 of 75Mapping the Internet and Intranets Case studies: corp. networks Some intranet statistics

75 slides Leak Detection Lumetas special sauce

64 of 75Mapping the Internet and Intranets The second technology: host leak detection Developed to find hosts that have access to both intranet and Internet Or across any privilege boundary Leaking hosts do not route between the networks May be a dual-homed host Not always a bad thing Technology didnt exist to find these

65 of 75Mapping the Internet and Intranets Possible host leaks Miss-configured telecommuters connecting remotely VPNs that are broken DMZ hosts with too much access Business partner networks Internet connections by rogue managers Modem links to ISPs

66 of 75Mapping the Internet and Intranets Leak results Found home web businesses At least two clients have tapped leaks – One made front page news From the military: the republic is a little safer

67 of 75Mapping the Internet and Intranets Leak Detection Prerequisites List of potential leakers: obtained by census Access to intranet Simultaneous availability of a mitt

68 of 75Mapping the Internet and Intranets Leak Detection Layout Internet intranet Mapping host A Test host B mitt D C Mapping host with address A is connected to the intranet Mitt with address D has Internet access Mapping host and mitt are currently the same host, with two interfaces

69 of 75Mapping the Internet and Intranets Leak Detection Internet intranet Mapping host A Test host B mitt D C Test host has known address B on the intranet It was found via census We are testing for unauthorized access to the Internet, possibly through a different address, C

70 of 75Mapping the Internet and Intranets Leak Detection Internet intranet Mapping host A Test host B mitt D C A sends packet to B, with spoofed return address of D If B can, it will reply to D with a response, possibly through a different interface

71 of 75Mapping the Internet and Intranets Leak Detection Internet intranet Mapping host A Test host B mitt D C Packet must be crafted so the response wont be permitted through the firewall A variety of packet types and responses are used Either inside or outside address may be discovered Packet is labeled so we know where it came from

72 of 75Mapping the Internet and Intranets Inbound Leak Detection Internet intranet Mapping host A Test host B mitt D C This direction is usually more important It all depends on the site policy… …so many leaks might be just fine.

73 of 75Mapping the Internet and Intranets Inbound Leak Detection Internet intranet Mapping host A Test host B mitt D C

74 of 75Mapping the Internet and Intranets Honeyd – network emulation Anti-hacking tools by Niels Provos at citi.umich.edu Can respond as one or more hosts I am configuring it to look like an entire clients network Useful for testing and debugging Product?

75 of 75Mapping the Internet and Intranets Some Lumeta lessons Reporting is the really hard part – Converting data to information Tell me how we compare to other clients Offering a service was good practice, for a while We have >70 Fortune-200 companies and government agencies as clients

75 slides Open questions and future work

77 of 75Mapping the Internet and Intranets How do you analyze a large graph over time? Five years of Internet data, mostly unanalyzed Alternate paths to a target country Sample insight: Poland was off the Internet yesterday Placement of monitoring tools? Compute a display differences between two complex graphs

78 of 75Mapping the Internet and Intranets Visualizations These graphs are too big for a piece of paper Various approaches available, but none really satisfactory Build visualization graph as the data comes in, and as the network evolves

79 of 75Mapping the Internet and Intranets

75 slides Mapping the Internet and Intranets Bill Cheswick

81 of 75Mapping the Internet and Intranets