Mapping the Internet and Intranets

About This Presentation

Title:

Mapping the Internet and Intranets

Description:

Curiosity about size and growth of the Internet ... See Martin Dodge's cyber geography page. MIDS - John Quarterman. CAIDA - kc claffy. Mercator ' ... – PowerPoint PPT presentation

Number of Views:40

Avg rating:3.0/5.0

Slides: 138

Provided by: billch

Category:

more less

Transcript and Presenter's Notes

Title: Mapping the Internet and Intranets

1
(No Transcript)
2
Clear and Present Dangers

Bill Cheswick
Lumeta Corp.
ches_at_lumeta.com

3
Clear and Present Dangers

Perimeter Leaks
Poor host security

4
Mapping the Internet and Intranets

Bill Cheswick
ches_at_lumeta.com
http//www.cheswick.com

5
Motivations

Intranets are out of control
Always have been
Highlands day after scenario
Panix DOS attacks
a way to trace anonymous packets back!

Internet tomography
Curiosity about size and growth of the Internet
Same tools are useful for understanding any large
network, including intranets

6
Related Work

See Martin Dodges cyber geography page
MIDS - John Quarterman
CAIDA - kc claffy
Mercator
Measuring ISP topologies with rocketfuel - 2002
Spring, Mahajan, Wetherall
Enter internet map in your search engine

7
The Goals

Long term reliable collection of Internet and
Lucent connectivity information
without annoying too many people
Attempt some simple visualizations of the data

movie of Internet growth!
Develop tools to probe intranets
Probe the distant corners of the Internet

8
Methods - data collection

Single reliable host connected at the company
perimeter
Daily full scan of Lucent
Daily partial scan of Internet, monthly full scan
One line of text per network scanned
Unix tools

9
Methods - network scanning

Obtain master network list
network lists from Merit, RIPE, APNIC, etc.
BGP data or routing data from customers
hand-assembled list of Yugoslavia/Bosnia
Run a traceroute-style scan towards each network
Stop on error, completion, no data
Keep the natives happy

10
TTL probes

Used by traceroute and other tools
Probes toward each target network with increasing
TTL
Probes are ICMP, UDP, TCP to port 80, 25, 139,
etc.
Some people block UDP, others ICMP

11
TTL probes
Hop 3
Hop 1
Hop 2
Hop 4
Hop 3
12
Send a packet with a TTL of 1
Hop 3
Hop 1
Hop 2
Hop 4
Hop 3
13
and we get the death notice from the first hop
Hop 3
Hop 1
Hop 2
Hop 4
Hop 3
14
Send a packet with a TTL of 2
Hop 3
Hop 1
Hop 2
Hop 4
Hop 3
15
and so on
Hop 3
Hop 1
Hop 2
Hop 4
Hop 3
16
Advantages

We dont need access (I.e. SNMP) to the routers
Its very fast
Standard Internet tool it doesnt break things
Insignificant load on the routers
Not likely to show up on IDS reports
We can probe with many packet types

17
Limitations

Outgoing paths only
Level 3 (IP) only
ATM networks appear as a single node
This distorts graphical analysis
Not all routers respond
Many routers limited to one response per second

18
Limitations

View is from scanning host only
Takes a while to collect alternating paths
Gentle mapping means missed endpoints
Imputes non-existent links

19
The data can go either way
B
C
D
A
E
F
20
The data can go either way
B
C
D
A
E
F
21
But our test packets only go part of the way
B
C
D
A
E
F
22
We record the hop
B
C
D
A
E
F
23
The next probe happens to go the other way
B
C
D
A
E
F
24
and we record the other hop
B
C
D
A
E
F
25
Weve imputed a link that doesnt exist
B
C
D
A
E
F
26
Data collection complaints

Australian parliament was the first to complain
List of whiners (25 nets)
Military noticed immediately
Steve Northcutt
arrangements/warnings to DISA and CERT
These complaints are mostly a thing of the past
Internet background radiation predominates

27
Visualization goals

make a map
show interesting features
debug our database and collection methods
hard to fold up
geography doesnt matter
use colors to show further meaning

28
(No Transcript)
29
(No Transcript)
30
Infovis state-of-the-art in 1998

800 nodes was a huge graph
We had 100,000 nodes
Use spring-force simulation with lots of
empirical tweaks
Each layout needed 20 hours of Pentium time

31
(No Transcript)
32
Visualization of the layout algorithm

Laying out the Internet graph

33
(No Transcript)
34
Visualization of the layout algorithm

Laying out an intranet

35
(No Transcript)
36
A simplified map

Minimum distance spanning tree uses 80 of the
data
Much easier visualization
Most of the links still valid
Redundancy is in the middle

37
Colored by AS number
38
Map Coloring

distance from test host
IP address
shows communities
Geographical (by TLD)
ISPs
future
timing, firewalls, LSRR blocks

39
Colored by IP address!
40
Colored by geography
41
Colored by ISP
42
Colored by distance from scanning host
43
US military reached by ICMP ping
44
US military networks reached by UDP
45
(No Transcript)
46
(No Transcript)
47
Yugoslavia

An unclassified peek at a new battlefield

48
(No Transcript)
49
Un film par Steve Hollywood Branigan...
50
(No Transcript)
51
fin
52
Routers in New York Citymissing generator fuel
53
Intranets
54
We partition our networks to get out of the game

Companies, governments, departments, even
families hide in enclaves to limit connectivity
to approved services
These are called intranets
The decentralized, cloud-like nature of internets
makes them hard to manage at a central point
My company explores the extent of intranets and
their interconnections with other networks.

55
Intranets the rest of the Internet
56
(No Transcript)
57
(No Transcript)
58
(No Transcript)
59
(No Transcript)
60
(No Transcript)
61
This was Supposed To be a VPN
62
(No Transcript)
63
(No Transcript)
64
Anything large enough to be called an intranet
isout of control
65
Case studies corp. networksSome intranet
statistics
66
Leak Detection
Mapping host
mitt

A sends packet to B, with spoofed return address
of D
If B can, it will reply to D with a response,
possibly through a different interface

A
D
Internet
intranet
C
B
Test host
67
Leak Detection
Mapping host
mitt

Packet must be crafted so the response wont be
permitted through the firewall
A variety of packet types and responses are used
Either inside or outside address may be
discovered
Packet is labeled so we know where it came from

A
D
Internet
intranet
C
B
Test host
68
Existence proofs of intranet leaks the slammer
worm

Its a pop-quiz on perimeter integrity
The best run networks (e.g. spooks nets) do not
get these plagues
Internal hosts may be susceptible

69
Some Lumeta lessons

Reporting is the really hard part
Converting data to information
Tell me how we compare to other clients
Offering a service was good practice, for a while
The clients want a device
We have gt70 Fortune-200 companies and government
agencies as clients
Need-to-have vs. want-to-have

70
Honeyd network emulation

Anti-hacking tools by Niels Provos at
citi.umich.edu
Can respond as one or more hosts
I am configuring it to look like an entire
clients network
Useful for testing and debugging
Product?

71
History of the Project

Started in August 1998 at Bell Labs
April-June 1999 Yugoslavia mapping
July 2000 first customer intranet scanned
Sept. 2000 spun off Lumeta from Lucent/Bell Labs
June 2002 B round funding completed
2003 sales gt4MM

72
(No Transcript)
73
Mapping the Internet and Intranets

Bill Cheswick
ches_at_lumeta.com
http//www.cheswick.com

74
My Dads Computer and the Future of Internet
Security

Bill Cheswick
ches_at_lumeta.com
http//www.lumeta.com

75
(No Transcript)
76
My Dads computer

Skinny-dipping with Microsoft

77
Case studyMy Dads computer

Windows XP, plenty of horsepower, two screens
Applications
Email (Outlook)
Bridge a fancy stock market monitoring system
AIM

78
Case studyMy Dads computer

Cable access
dynamic IP address
no NAT
no firewall
outdated virus software
no spyware checker

79
This computer was a software toxic waste dump

It was burning a liter of oil every 500 km
The popups seemed darned distracting to me

80
My Dads computer what the repair geek found

Everything
Viruses Ive never heard off
Constant popups
Frequent blasts of multiple web pages, all
obscene
Dad why do I care? I am getting my work done

81
Dads computer how did he get in this mess?

He doesnt know what the popup security messages
mean
Email-born viruses
Unsecured network services
Executable code in web pages from unworthy sites

82
He is getting his work done

Didnt want a system administrator to mess up his
user interface settings
Truly destructive attacks are rare
They arent lucrative or much fun
They are self-limiting

83
Recently

An alien G-rated screen saver for an X-rated site
appeared
Changing the screen saver worked!
The screen saver software removed in the correct
way!
Still, this should never have happened

84
Skinny Dipping on the Internet
85
Ive been skinny dipping on the Internet for years

FreeBSD and Linux hosts
Very few, very hardened network services
Single-user hosts
Dangerous services placed in sandboxes
No known breakins
No angst

86
Best block is not be there

-Karate Kid

87
Angst and the Morris Worm

Did the worm get past my firewall?
No. Why?
Partly smart design
Partly luckremoving fingerd
Peace of mind comes from staying out of the
battle altogether

88
Youve got to get out of the game

-Fred Grampp

89
Can my Dad (and millions like him) get out of the
game?
90
Arms Races
91
Virus arms race

Early on, detectors used viral signatures
Virus encryption and recompilation (!) has
thwarted this
Virus detectors now simulate the code, looking
for signature actions
Virus writers now detect emulation and behave
differently
Virus emulators are slowing down, even with
Moores Law.

92
Virus arms race

I suspect that virus writers are going to win the
detection battle, if they havent already
Emulation may become too slow
Even though we have the home-field advantage
Will we know if an undetectable virus is
released?
Best defense is to get out of the game.
Dont run portable programs, or
Improve our sandbox technology
People who really care about this worry about Ken
Thompsons attack
Read and understand On Trusting Trust

93
Getting out of the virus game

Dont execute roving programs of unknown
provenance
Trusted Computing can fix the problem, in theory

94
Password sniffing and cracking arms race

Ethernet has always been sniffable
WiFi is the new Ethernet

95
Password sniffing and cracking arms race

Password cracking works 3 to 60 of the time
using offline dictionary attacks
More, if the hashing is misdesigned (c.f.
Microsoft)
This will never get better, so
We have to get out of the game

96
Password sniffing and cracking arms race

This battle is mostly won, thanks to SSL, IP/SEC,
and VPNs.
There are many successful businesses using these
techniques nicely.

97
Password sniffing is not a problem for Dad

SSL fixes most of it
AIM is interceptible
Fixablewill it be?

98
Authentication/Identification Arms races

Password/PIN selection vs. cracking
Human-chosen passwords and PINs can be ok if
guessing is limited, and obvious choices are
suppressed
Password cracking is getting better, thanks to
Moores Law and perhaps even botnets

99
We dont know how to leave the user in charge of
security decisions, safely.
100
User education vs. user deception

We will continue losing this one
Even experts sometimes dont understand the
ramifications of choices they are offered

101
Authentication arms racepredictions

USA needs two factor authentication for social
security number. (Something better than MMN or
birth date.)
I dont see this improving much, but a global USB
dongle would do it
Dont wait for world-wide PKI.

102
Arms race (sort of)hardware destruction

IBM monochrome monitor
Some more recent monitors
Current ones?
Hard drives? Beat the heads up?
EEPROM write limits
Viral attack on .cn and .kr PC motherboards
Other equipment
Anything that requires a hardware on-site service
call

103
Arms race (sort of)hardware destruction

Rendering the firmware useless
This can be fixed (mostly) with a secure trusted
computing base.

104
Software upgrade race literally a race

Patches are analyzed to determine the weakness
Patch-to-exploit time is now down below 10 hours
NB spammers have incentive to do this work
Now the good guys are trying to obfuscate code!
Future difficult to say dark side obscures
everything.

105
Arms Races deception

Jails
Cliff Stoll and SDInet
Honeypots
Honeynet
honeyd
The deception toolkit---Fred Cohen

106
Microsoft client security

It has been getting worse can they skinny-dip
safely?

107
Windows ME
Active Connections - Win ME Proto Local
Address Foreign Address State
TCP 127.0.0.11032 0.0.0.00
LISTENING TCP 223.223.223.10139
0.0.0.00 LISTENING UDP
0.0.0.01025
UDP 0.0.0.01026
UDP 0.0.0.031337
UDP 0.0.0.0162
UDP 223.223.223.10137
UDP
223.223.223.10138
108
Windows 2000
Proto Local Address Foreign Address
State TCP 0.0.0.0135
0.0.0.00 LISTENING TCP
0.0.0.0445 0.0.0.00
LISTENING TCP 0.0.0.01029
0.0.0.00 LISTENING TCP
0.0.0.01036 0.0.0.00
LISTENING TCP 0.0.0.01078
0.0.0.00 LISTENING TCP
0.0.0.01080 0.0.0.00
LISTENING TCP 0.0.0.01086
0.0.0.00 LISTENING TCP
0.0.0.06515 0.0.0.00
LISTENING TCP 127.0.0.1139
0.0.0.00 LISTENING UDP
0.0.0.0445
UDP 0.0.0.01038
UDP 0.0.0.06514
UDP 0.0.0.06515
UDP 127.0.0.11108
UDP
223.223.223.96500
UDP 223.223.223.964500

109
Windows XP, this laptop
Proto Local Address Foreign Address
State TCP ches-pcepmap
ches-pc0 LISTENING TCP
ches-pcmicrosoft-ds ches-pc0
LISTENING TCP ches-pc1025
ches-pc0 LISTENING TCP
ches-pc1036 ches-pc0
LISTENING TCP ches-pc3115
ches-pc0 LISTENING TCP
ches-pc3118 ches-pc0
LISTENING TCP ches-pc3470
ches-pc0 LISTENING TCP
ches-pc3477 ches-pc0
LISTENING TCP ches-pc5000
ches-pc0 LISTENING TCP
ches-pc6515 ches-pc0
LISTENING TCP ches-pcnetbios-ssn
ches-pc0 LISTENING TCP
ches-pc3001 ches-pc0
LISTENING TCP ches-pc3002
ches-pc0 LISTENING TCP
ches-pc3003 ches-pc0
LISTENING TCP ches-pc5180
ches-pc0 LISTENING UDP
ches-pcmicrosoft-ds
UDP ches-pcisakmp
UDP ches-pc1027
UDP ches-pc3008
UDP ches-pc3473
UDP ches-pc6514
UDP
ches-pc6515
UDP ches-pcnetbios-ns
UDP ches-pcnetbios-dgm
UDP ches-pc1900
UDP ches-pcntp
UDP ches-pc1900
UDP
ches-pc3471
110
FreeBSD partition, this laptop(getting out of
the game)
Active Internet connections (including
servers) Proto Recv-Q Send-Q Local Address
tcp4 0 0 .22
tcp6 0 0 .22
111
It is easy to dump on Microsoft, but many others
have made the same mistakes before
112
Default servicesSGI workstation
ftp stream tcp nowait root
/v/gate/ftpd telnet stream tcp nowait root
/usr/etc/telnetd shell stream tcp
nowait root /usr/etc/rshd login stream tcp
nowait root /usr/etc/rlogind exec
stream tcp nowait root /usr/etc/rexecd
finger stream tcp nowait guest
/usr/etc/fingerd bootp dgram udp wait
root /usr/etc/bootp tftp dgram udp
wait guest /usr/etc/tftpd ntalk dgram
udp wait root /usr/etc/talkd tcpmux
stream tcp nowait root internal echo
stream tcp nowait root internal discard
stream tcp nowait root internal chargen
stream tcp nowait root internal daytime
stream tcp nowait root internal time
stream tcp nowait root internal echo
dgram udp wait root internal discard
dgram udp wait root internal chargen
dgram udp wait root internal daytime
dgram udp wait root internal time
dgram udp wait root internal sgi-dgl
stream tcp nowait root/rcv dgld uucp
stream tcp nowait root
/usr/lib/uucp/uucpd
113
More default services
mountd/1 stream rpc/tcp wait/lc root
rpc.mountd mountd/1 dgram rpc/udp wait/lc
root rpc.mountd sgi_mountd/1 stream rpc/tcp
wait/lc root rpc.mountd sgi_mountd/1 dgram
rpc/udp wait/lc root rpc.mountd rstatd/1-3
dgram rpc/udp wait root rpc.rstatd
walld/1 dgram rpc/udp wait root
rpc.rwalld rusersd/1 dgram rpc/udp wait
root rpc.rusersd rquotad/1 dgram rpc/udp
wait root rpc.rquotad sprayd/1 dgram
rpc/udp wait root rpc.sprayd
bootparam/1 dgram rpc/udp wait root
rpc.bootparamd sgi_videod/1 stream rpc/tcp wait
root ?videod sgi_fam/1 stream
rpc/tcp wait root ?fam
sgi_snoopd/1 stream rpc/tcp wait root
?rpc.snoopd sgi_pcsd/1 dgram rpc/udp wait
root ?cvpcsd sgi_pod/1 stream rpc/tcp
wait root ?podd tcpmux/sgi_scanner
stream tcp nowait root ?scan/net/scannerd tcp
mux/sgi_printer stream tcp nowait root
?print/printerd 9fs stream tcp
nowait root /v/bin/u9fs u9fs webproxy
stream tcp nowait root
/usr/local/etc/webserv
114
Firewalls and intranets try to get us out of the
network services vulnerability game
115
(No Transcript)
116
What my dad(and most of you)really needs
117
Most of my Dads problems are caused by
weaknesses in features he never uses or needs.
118
A proposalWindows OK
119
Windows OK

Thin client implemented with Windows
It would be fine for maybe half the Windows users
Students, consumers, many corporate and
government users
It would be reasonable to skinny dip with this
client
Without firewall or virus checking software

120
Windows OK

No network listeners
None of those services are needed, except admin
access for centrally-administered hosts
Default security settings
All security controls in one or two places
Security settings can be locked

121
Windows OK (cont)

There should be nothing you can click on, in
email or a web page, that can hurt your computer
No portable programs are executed ever, except
ActiveX from approved parties
MSFT and one or two others. List is lockable

122
Windows OK

Reduce privileges in servers and all programs
Sandbox programs
Belt and suspenders

123
Office OK

No macros in Word or PowerPoint. No executable
code in PowerPoint files
The only macros allowed in Excel perform
arithmetic. They cannot create files, etc.

124
Vulnerabilities in OK