1%20of%2057 - PowerPoint PPT Presentation

About This Presentation

Title:

1%20of%2057

Description:

At Morris worm (nov 1988), estimated to be 6,000 hosts on the Internet (SWAG) ... Perhaps worm spreads might be slowed. See below. Reasons not to go to IPv6 ... – PowerPoint PPT presentation

Number of Views:54

Avg rating:3.0/5.0

Slides: 58

Provided by: billch

Category:

Tags: 20of | worm

more less

Transcript and Presenter's Notes

Title: 1%20of%2057

1
IPv6Thanks for stopping by

Bill Cheswick
ches_at_lumeta.com
http//www.lumeta.com

2
(No Transcript)
3
The Internet was engineered in the early 1980s,
and before

A research project, with a lot of flaws
Nobody thought it would succeed as it has
Astonishing that the engineering choices have
lasted so long, through so many orders of
magnitude of growth
Relatively little tweaking
DNS, BGP, CIDR addressing, TCP slow start, a few
new ICMP messages

4
One of the choices address size

4 billion addresses (232) seemed like enough in
1982
At Morris worm (nov 1988), estimated to be 6,000
hosts on the Internet (SWAG)
In Bell Labs, I counted 1,330
ATT acquired a class A network (12.0.0.0/8) when
Mark Horton just asked for it

5
Fun with a class A (/8) network

We couldnt figure out how to use it
Sub and sub-sub netmasking not well supported
The Cray had no trouble using it
IP-opaque firewall wouldnt allow us to use it
internally and externally
Steve Bellovin and I wondered how this empty
address space was faring on the Internet
We built the first packet telescope

6
Packet telescopes
7
How do you make a packet telescope?

Announce the network on the Internet
Tell the router to forward all packets of that
net to a non-existent Ethernet address
(010203040506)
The router doesnt care that no-one is listening
to the packets
Then listen with tcpdump, ethereal, etc.

8
What we found

Backscatter from dying hosts
Misconfigured routers, etc.
15 25 MB per day of traffic
Steve wrote the paper There Be Dragons based on
the results.

9
Backscatter

Some attacks on hosts require that tables be
full, or the host be to busy to respond
Flood it with spoofed packets having random
return addresses
Or chosen to be ATT, because the phone company
is evil
The (dying) host will emit some responses to the
spoofed address, and we can see some of them

10
Packet telescopes are used by a number of
researchers today

They cover a lot of address space
The address spaces covered are kept secret
Some are large, obvious spaces
Others are mixed in with normal space
More on this later

11
Brief history of Internet addressing1993

Careless allocation seemed to be dooming us
My ASCII floor number in our class B network
135.104.x.0/16
Address space was filling up
Routers we limited by memory holding all the
routes on the Internet

12
Simple solution in 1993 more address bits

Painful, but not too bad
Would have gone into microsoftwin 95 was in the
future
IETF had several proposals to change the IP
packet format to add more address space
and do a lot of other stuff, too, unfortunately
As long as you are going to change every IP
stack, lets get something done
Politics!

13
0.0.0.0
255.255.255.255
14
Class D and E networks multicast
15
10.0.0.0/8
RFC 1918 space
16
127.0.0.0/8
17
In 1993, IPv6 was 3 years away

(C2 in 92?)

18
But the emergency hasnt come yet, at least in
the US

RFC 1918, private address space, is used
extensively
Companies were using IP-blocking firewalls,
making their own address space
At one bank 50 states -gt 50 class A networks
Class A/B/C network sizes replaced with CIDR
blocks 209.123.16.96/28
ARIN/RIPE/APNIC became very restrictive about
handing out addresses

19
1999
20
2000
21
2001
22
2002
23
2005
24
IPv6 still 3 years away?

Depends

25
ipv6.research.microsoft.com. 15M IN AAAA
131.107.65.121 ipv6.research.microsoft.com.
15M IN AAAA 2002836b4179836b4179
26
(No Transcript)
27
IPv6 deployment

Widely deployed in the Far East, and in the new
cell phones
Europe is getting on board
US Government mandate for 2005
But what does IPv6 capable really mean?
None of the three ISPs I am connected to at home
or work offer raw IPv6 feeds

28
IPv6 transition

6bone deprecated
IPv6 is available through IPv4/IPv6 tunnel
brokers
www.hexago.com formerly freenet6.net
Easy to set up on Unix hosts, then it Just Works
In Windows XP for developers
IPv4/IPv6 NAT boxes?
Lumeta? We are working on it

29
IPv6

Some details

30
IPv4 vs. IPv6 address space
Class A
/8
/16
Class B (street value, 1MM?)
/24
Class C
China /32
soldier /48
link /64
31
IPv6 address space

/48s seem to be freely available
Each US soldier will have one
One for each home
Easy to hide hosts in that space
Hard to administer hosts in that space
Some interesting cryptographic and IP hopping
applications come to mind.

32
soldier /48

Host portion is 80 bits
Enough for four whole Internets-worth of
addresses for each cell in the soldiers body
Future nanotech really-intranet?
Roughly enough to assign an IP address to each
molecule in one of the soldiers bullets

33
IPv6 technical aspects

Addresses arent as bad as you might think
20015bfe161 (easy to grep!)
Address format changes logfile processing
Math not easy for processing IPv6 addresses
The socket dance must be rewritten
Its much cleaner now
Not a big deal, but requires changes to every
Internet legacy programs

34
IPv6 dead ends

Google-based research will lead you down recently
abandoned dead ends
A6 came and went, AAAA is what to use
Link level addressing is deprecated
The 6bone is dying, dont go there
Use of bottom 128 48 80 bits not really
settled

35
Conversion issues

IPv4-only hardware
Not available in
Some routers, wireless base stations, hubs, etc.
Programmers have to relearn the socket dance
Address format changes logfile processing
Have to replicate a whole new set of firewall
rules

36
IPv6 pending problems

chicken-and-egg startup
DNS entries too small to hold all the root AAAA
records
Asset management?

37
Reasons to go to IPv6

Address space stops being a problem
Because the government policy says so
There could be useful IPv6-only sites
Early adopters (i.e. China) can restrict access
to the IPv4 world
Perhaps worm spreads might be slowed
See below

38
Reasons not to go to IPv6

Unnecessary expense for corporations using
private address space
Unsupported by most cheap devices
Cable modems, base stations, etc.
Not really there yet some standards unsettled

39
Who are the early adopters?

China and japan
Didnt receive very large initial IPv4
allocations
Nascent industries
IP for cell phones
US government, supposedly

40
IPv6 is still three years away

From general acceptance
There are more than a thousand out there right
now
IPv4 has nearly 200,000

41
Some IPv6 web sites

www.ipv6.org
www.ipv6forum.com
vendors
www.hexago.com
Free IPv6 brokering

42
More on the Telescopes

Watching todays evil

43
How do you make a packet telescope? Part 2.

Choose some unused IP addresses
Near other address spaces is more likely to get
hit
Have a host publish permanent arp entries for
each address
arp 209.123.16.100 010203040506 pub
The router doesnt care that nobody is listening
Then listen with tcpdump, ethereal, etc.

44
Internet background radiation

209.123.16.100/30 a packet telescope with four
addresses
6 probes per hour per address
Results vary depending on who is next door to
you in Internet addressing (i.e. shares an ISP)

45
Thursday, 4 addresses, res./com. network (nac.net)

first half of Thursday
4 addresses
residential/commercial network (nac.net)
Nothing in DNS or web about these addresses
No windows PCs here

46
Traffic by hour
b/var/tmp cut -d -f1 x sort uniq -c awk
'x "" for (i1 ilt1 i) x x ""
print 2, 1, x 00 67
01 30
02 37
03 47
04
42 05
42 06
54
07 28 08 46
09
37 10 18

47
Attack distribution by address
209.123.16.100 111 209.123.16.101
95 209.123.16.102 114 209.123.16.103 127
48
070428.194878 IP 209.137.140.29.4908 gt
209.123.16.103.135 S 32347167323234716732(0)
win 16 070734.165401 IP 209.11.240.115.4470 gt
209.123.16.103.445 S 23814004932381400493(0)
win 16 071517.085918 IP 209.7.49.222.2681 gt
209.123.16.101.135 S 28064960912806496091(0)
win 1638 071748.786333 IP 209.137.231.71.1825 gt
209.123.16.103.135 S 14793939881479393988(0)
win 87 071851.474861 IP 219.145.170.26.3178 gt
209.123.16.103.1434 UDP, length
376 072332.286715 IP 209.239.14.76.3293 gt
209.123.16.100.135 S 269840468269840468(0) win
64240 072450.831650 IP 200.27.150.160.1078 gt
209.123.16.100.1434 UDP, length
376 072504.705014 IP 209.77.237.109.1977 gt
209.123.16.103.135 S 27667326232766732623(0)
win 64 072657.976816 IP 211.175.182.185.6000 gt
209.123.16.100.1433 S 11323965441132396544(0)
win 072657.980013 IP 211.175.182.185.6000 gt
209.123.16.103.1433 S 974782464974782464(0) win
16 072657.984673 IP 211.175.182.185.6000 gt
209.123.16.102.1433 S 20102512642010251264(0)
win 072657.988127 IP 211.175.182.185.6000 gt
209.123.16.101.1433 S 148832256148832256(0) win
16 073112.193510 IP 209.116.102.97.4415 gt
209.123.16.102.135 S 22431802102243180210(0)
win 64 073701.279847 IP 61.147.119.92.80 gt
209.123.16.103.15439 S 13945065621394506562(0)
ack 157 073823.276307 IP 209.11.240.139.3691 gt
209.123.16.103.135 S 208658438208658438(0) win
6553 073933.883035 IP 209.11.240.139.4643 gt
209.123.16.102.135 S 25593566272559356627(0)
win 65 074133.970959 IP 209.11.240.139.1053 gt
209.123.16.100.135 S 12181415031218141503(0)
win 65 074619.098466 IP 209.123.117.250.3700 gt
209.123.16.101.445 S 24838895352483889535(0)
win 1 074622.092386 IP 209.123.117.250.3700 gt
209.123.16.101.445 S 24838895352483889535(0)
win 1 074648.374438 IP 209.123.117.250.4325 gt
209.123.16.103.445 S 25215760922521576092(0)
win 1 074651.363928 IP 209.123.117.250.4325 gt
209.123.16.103.445 S 25215760922521576092(0)
win 1 075145.253869 IP 209.7.49.222.4655 gt
209.123.16.101.135 S 140404696140404696(0) win
16384 075211.682851 IP 209.123.117.250.3593 gt
209.123.16.102.445 S 29444608732944460873(0)
win 1 075214.653648 IP 209.123.117.250.3593 gt
209.123.16.102.445 S 29444608732944460873(0)
win 1 075301.116268 IP 209.123.117.250.4668 gt
209.123.16.100.445 S 30093703383009370338(0)
win 1 075304.042178 IP 209.123.117.250.4668 gt
209.123.16.100.445 S 30093703383009370338(0)
win 1 075414.805373 IP 209.123.117.250.2398 gt
209.123.16.102.445 S 31056851143105685114(0)
win 1 075417.772847 IP 209.123.117.250.2398 gt
209.123.16.102.445 S 31056851143105685114(0)
win 1
49
IP source address count
4 209.90.146.22 4 209.82.169.44 4
209.122.226.106 4 192.168.1.45 3
61.152.252.235 3 221.214.42.125 3
218.83.154.115 3 209.99.225.79 3
209.77.237.109 3 209.215.59.208 3
209.175.204.220 3 209.137.140.29 2
84.156.85.78 2 81.130.123.202 2
80.228.91.231 2 70.60.120.185 2
61.186.250.42 2 222.149.180.50 2
218.75.231.165 2 218.204.84.211 2
211.140.254.58 2 209.82.168.29 2
209.47.91.210 2 209.42.36.2
2 209.39.34.83 2 209.30.250.158 2
209.249.28.107 2 209.239.5.6
98 209.123.117.250 31 222.88.173.5 26
209.11.240.139 21 195.92.95.61 13
220.179.123.85 11 222.248.96.249 9
209.116.102.97 9 209.11.240.115 8
61.152.239.150 8 211.185.208.65 8
209.82.176.43 8 209.215.20.79 8
209.161.170.208 8 209.12.135.83 8
204.141.115.75 6 61.235.154.104 6
222.88.60.22 5 209.7.49.222 4 84.56.28.102
4 67.10.6.128 4 218.172.117.90 4
218.108.175.109 4 212.194.206.163 4
211.175.182.185
50
Attack sources
36.dsli.com 43-176-82-209.g-net.net 56k.execulink.
com a.dns.kr adsl.alicedsl.de ariston.netcraft.com
biz.rr.com bumttx.swbell.net customer.vpls.net cy
dc.com.br d4.club-internet.fr dhcp.transact.bm dia
lup.rcn.com dip.t-dialin.net dns1.ntli.net dns1.xs
pedius.net dsl-xxx.arcor-ip.net dynamic.hinet.net
ev1s-xxx.ev1servers.net fbx.proxad.net guangzhou.g
d.cn
hosfio.org.ar hsia.telus.net in-addr.btopenworld.c
om jan.bellsouth.net jax.bellsouth.net jukebox.e-m
igrate.com k12.il.us kinc.cablerocket.net mesh.ad.
jp nosp3-xxx.i-55.com ns.cnmobile.net ns.uunet.ca
ns01.unicom-alaska.com ns1.apnic.net ns1.hzman.net
ns1.nac.net ns1.telehouse.com ns1.yipes.com nsf.a
lgx.net ocn.ne.jp odo.warpspeed.com
online.ln.cn prisoner.iana.org ptt.js.cn pubnet.ne
.kr res.rr.com rev.gaoland.net sdjnptt.net.cn snfc
21.pacbell.net sta.net.cn sunprairie.visionsystems
.tv tj.unn.no tor.primus.ca us.xo.net zjhzptt.net.
cn
51
What are these packets, and where do they come
from?