1%20of%2057 - PowerPoint PPT Presentation

About This Presentation
Title:

1%20of%2057

Description:

At Morris worm (nov 1988), estimated to be 6,000 hosts on the Internet (SWAG) ... Perhaps worm spreads might be slowed. See below. Reasons not to go to IPv6 ... – PowerPoint PPT presentation

Number of Views:54
Avg rating:3.0/5.0
Slides: 58
Provided by: billch
Category:
Tags: 20of | worm

less

Transcript and Presenter's Notes

Title: 1%20of%2057


1
IPv6Thanks for stopping by
  • Bill Cheswick
  • ches_at_lumeta.com
  • http//www.lumeta.com

2
(No Transcript)
3
The Internet was engineered in the early 1980s,
and before
  • A research project, with a lot of flaws
  • Nobody thought it would succeed as it has
  • Astonishing that the engineering choices have
    lasted so long, through so many orders of
    magnitude of growth
  • Relatively little tweaking
  • DNS, BGP, CIDR addressing, TCP slow start, a few
    new ICMP messages

4
One of the choices address size
  • 4 billion addresses (232) seemed like enough in
    1982
  • At Morris worm (nov 1988), estimated to be 6,000
    hosts on the Internet (SWAG)
  • In Bell Labs, I counted 1,330
  • ATT acquired a class A network (12.0.0.0/8) when
    Mark Horton just asked for it

5
Fun with a class A (/8) network
  • We couldnt figure out how to use it
  • Sub and sub-sub netmasking not well supported
  • The Cray had no trouble using it
  • IP-opaque firewall wouldnt allow us to use it
    internally and externally
  • Steve Bellovin and I wondered how this empty
    address space was faring on the Internet
  • We built the first packet telescope

6
Packet telescopes
7
How do you make a packet telescope?
  • Announce the network on the Internet
  • Tell the router to forward all packets of that
    net to a non-existent Ethernet address
    (010203040506)
  • The router doesnt care that no-one is listening
    to the packets
  • Then listen with tcpdump, ethereal, etc.

8
What we found
  • Backscatter from dying hosts
  • Misconfigured routers, etc.
  • 15 25 MB per day of traffic
  • Steve wrote the paper There Be Dragons based on
    the results.

9
Backscatter
  • Some attacks on hosts require that tables be
    full, or the host be to busy to respond
  • Flood it with spoofed packets having random
    return addresses
  • Or chosen to be ATT, because the phone company
    is evil
  • The (dying) host will emit some responses to the
    spoofed address, and we can see some of them

10
Packet telescopes are used by a number of
researchers today
  • They cover a lot of address space
  • The address spaces covered are kept secret
  • Some are large, obvious spaces
  • Others are mixed in with normal space
  • More on this later

11
Brief history of Internet addressing1993
  • Careless allocation seemed to be dooming us
  • My ASCII floor number in our class B network
    135.104.x.0/16
  • Address space was filling up
  • Routers we limited by memory holding all the
    routes on the Internet

12
Simple solution in 1993 more address bits
  • Painful, but not too bad
  • Would have gone into microsoftwin 95 was in the
    future
  • IETF had several proposals to change the IP
    packet format to add more address space
  • and do a lot of other stuff, too, unfortunately
  • As long as you are going to change every IP
    stack, lets get something done
  • Politics!

13
0.0.0.0
255.255.255.255
14
Class D and E networks multicast
15
10.0.0.0/8
RFC 1918 space
16
127.0.0.0/8
17
In 1993, IPv6 was 3 years away
  • (C2 in 92?)

18
But the emergency hasnt come yet, at least in
the US
  • RFC 1918, private address space, is used
    extensively
  • Companies were using IP-blocking firewalls,
    making their own address space
  • At one bank 50 states -gt 50 class A networks
  • Class A/B/C network sizes replaced with CIDR
    blocks 209.123.16.96/28
  • ARIN/RIPE/APNIC became very restrictive about
    handing out addresses

19
1999
20
2000
21
2001
22
2002
23
2005
24
IPv6 still 3 years away?
  • Depends

25
ipv6.research.microsoft.com. 15M IN AAAA
131.107.65.121 ipv6.research.microsoft.com.
15M IN AAAA 2002836b4179836b4179
26
(No Transcript)
27
IPv6 deployment
  • Widely deployed in the Far East, and in the new
    cell phones
  • Europe is getting on board
  • US Government mandate for 2005
  • But what does IPv6 capable really mean?
  • None of the three ISPs I am connected to at home
    or work offer raw IPv6 feeds

28
IPv6 transition
  • 6bone deprecated
  • IPv6 is available through IPv4/IPv6 tunnel
    brokers
  • www.hexago.com formerly freenet6.net
  • Easy to set up on Unix hosts, then it Just Works
  • In Windows XP for developers
  • IPv4/IPv6 NAT boxes?
  • Lumeta? We are working on it

29
IPv6
  • Some details

30
IPv4 vs. IPv6 address space
Class A
/8
/16
Class B (street value, 1MM?)
/24
Class C
China /32
soldier /48
link /64
31
IPv6 address space
  • /48s seem to be freely available
  • Each US soldier will have one
  • One for each home
  • Easy to hide hosts in that space
  • Hard to administer hosts in that space
  • Some interesting cryptographic and IP hopping
    applications come to mind.

32
soldier /48
  • Host portion is 80 bits
  • Enough for four whole Internets-worth of
    addresses for each cell in the soldiers body
  • Future nanotech really-intranet?
  • Roughly enough to assign an IP address to each
    molecule in one of the soldiers bullets

33
IPv6 technical aspects
  • Addresses arent as bad as you might think
  • 20015bfe161 (easy to grep!)
  • Address format changes logfile processing
  • Math not easy for processing IPv6 addresses
  • The socket dance must be rewritten
  • Its much cleaner now
  • Not a big deal, but requires changes to every
    Internet legacy programs

34
IPv6 dead ends
  • Google-based research will lead you down recently
    abandoned dead ends
  • A6 came and went, AAAA is what to use
  • Link level addressing is deprecated
  • The 6bone is dying, dont go there
  • Use of bottom 128 48 80 bits not really
    settled

35
Conversion issues
  • IPv4-only hardware
  • Not available in
  • Some routers, wireless base stations, hubs, etc.
  • Programmers have to relearn the socket dance
  • Address format changes logfile processing
  • Have to replicate a whole new set of firewall
    rules

36
IPv6 pending problems
  • chicken-and-egg startup
  • DNS entries too small to hold all the root AAAA
    records
  • Asset management?

37
Reasons to go to IPv6
  • Address space stops being a problem
  • Because the government policy says so
  • There could be useful IPv6-only sites
  • Early adopters (i.e. China) can restrict access
    to the IPv4 world
  • Perhaps worm spreads might be slowed
  • See below

38
Reasons not to go to IPv6
  • Unnecessary expense for corporations using
    private address space
  • Unsupported by most cheap devices
  • Cable modems, base stations, etc.
  • Not really there yet some standards unsettled

39
Who are the early adopters?
  • China and japan
  • Didnt receive very large initial IPv4
    allocations
  • Nascent industries
  • IP for cell phones
  • US government, supposedly

40
IPv6 is still three years away
  • From general acceptance
  • There are more than a thousand out there right
    now
  • IPv4 has nearly 200,000

41
Some IPv6 web sites
  • www.ipv6.org
  • www.ipv6forum.com
  • vendors
  • www.hexago.com
  • Free IPv6 brokering

42
More on the Telescopes
  • Watching todays evil

43
How do you make a packet telescope? Part 2.
  • Choose some unused IP addresses
  • Near other address spaces is more likely to get
    hit
  • Have a host publish permanent arp entries for
    each address
  • arp 209.123.16.100 010203040506 pub
  • The router doesnt care that nobody is listening
  • Then listen with tcpdump, ethereal, etc.

44
Internet background radiation
  • 209.123.16.100/30 a packet telescope with four
    addresses
  • 6 probes per hour per address
  • Results vary depending on who is next door to
    you in Internet addressing (i.e. shares an ISP)

45
Thursday, 4 addresses, res./com. network (nac.net)
  • first half of Thursday
  • 4 addresses
  • residential/commercial network (nac.net)
  • Nothing in DNS or web about these addresses
  • No windows PCs here

46
Traffic by hour
b/var/tmp cut -d -f1 x sort uniq -c awk
'x "" for (i1 ilt1 i) x x ""
print 2, 1, x 00 67
01 30
02 37
03 47
04
42 05
42 06
54
07 28 08 46
09
37 10 18

47
Attack distribution by address
209.123.16.100 111 209.123.16.101
95 209.123.16.102 114 209.123.16.103 127
48
070428.194878 IP 209.137.140.29.4908 gt
209.123.16.103.135 S 32347167323234716732(0)
win 16 070734.165401 IP 209.11.240.115.4470 gt
209.123.16.103.445 S 23814004932381400493(0)
win 16 071517.085918 IP 209.7.49.222.2681 gt
209.123.16.101.135 S 28064960912806496091(0)
win 1638 071748.786333 IP 209.137.231.71.1825 gt
209.123.16.103.135 S 14793939881479393988(0)
win 87 071851.474861 IP 219.145.170.26.3178 gt
209.123.16.103.1434 UDP, length
376 072332.286715 IP 209.239.14.76.3293 gt
209.123.16.100.135 S 269840468269840468(0) win
64240 072450.831650 IP 200.27.150.160.1078 gt
209.123.16.100.1434 UDP, length
376 072504.705014 IP 209.77.237.109.1977 gt
209.123.16.103.135 S 27667326232766732623(0)
win 64 072657.976816 IP 211.175.182.185.6000 gt
209.123.16.100.1433 S 11323965441132396544(0)
win 072657.980013 IP 211.175.182.185.6000 gt
209.123.16.103.1433 S 974782464974782464(0) win
16 072657.984673 IP 211.175.182.185.6000 gt
209.123.16.102.1433 S 20102512642010251264(0)
win 072657.988127 IP 211.175.182.185.6000 gt
209.123.16.101.1433 S 148832256148832256(0) win
16 073112.193510 IP 209.116.102.97.4415 gt
209.123.16.102.135 S 22431802102243180210(0)
win 64 073701.279847 IP 61.147.119.92.80 gt
209.123.16.103.15439 S 13945065621394506562(0)
ack 157 073823.276307 IP 209.11.240.139.3691 gt
209.123.16.103.135 S 208658438208658438(0) win
6553 073933.883035 IP 209.11.240.139.4643 gt
209.123.16.102.135 S 25593566272559356627(0)
win 65 074133.970959 IP 209.11.240.139.1053 gt
209.123.16.100.135 S 12181415031218141503(0)
win 65 074619.098466 IP 209.123.117.250.3700 gt
209.123.16.101.445 S 24838895352483889535(0)
win 1 074622.092386 IP 209.123.117.250.3700 gt
209.123.16.101.445 S 24838895352483889535(0)
win 1 074648.374438 IP 209.123.117.250.4325 gt
209.123.16.103.445 S 25215760922521576092(0)
win 1 074651.363928 IP 209.123.117.250.4325 gt
209.123.16.103.445 S 25215760922521576092(0)
win 1 075145.253869 IP 209.7.49.222.4655 gt
209.123.16.101.135 S 140404696140404696(0) win
16384 075211.682851 IP 209.123.117.250.3593 gt
209.123.16.102.445 S 29444608732944460873(0)
win 1 075214.653648 IP 209.123.117.250.3593 gt
209.123.16.102.445 S 29444608732944460873(0)
win 1 075301.116268 IP 209.123.117.250.4668 gt
209.123.16.100.445 S 30093703383009370338(0)
win 1 075304.042178 IP 209.123.117.250.4668 gt
209.123.16.100.445 S 30093703383009370338(0)
win 1 075414.805373 IP 209.123.117.250.2398 gt
209.123.16.102.445 S 31056851143105685114(0)
win 1 075417.772847 IP 209.123.117.250.2398 gt
209.123.16.102.445 S 31056851143105685114(0)
win 1
49
IP source address count
4 209.90.146.22 4 209.82.169.44 4
209.122.226.106 4 192.168.1.45 3
61.152.252.235 3 221.214.42.125 3
218.83.154.115 3 209.99.225.79 3
209.77.237.109 3 209.215.59.208 3
209.175.204.220 3 209.137.140.29 2
84.156.85.78 2 81.130.123.202 2
80.228.91.231 2 70.60.120.185 2
61.186.250.42 2 222.149.180.50 2
218.75.231.165 2 218.204.84.211 2
211.140.254.58 2 209.82.168.29 2
209.47.91.210 2 209.42.36.2
2 209.39.34.83 2 209.30.250.158 2
209.249.28.107 2 209.239.5.6
98 209.123.117.250 31 222.88.173.5 26
209.11.240.139 21 195.92.95.61 13
220.179.123.85 11 222.248.96.249 9
209.116.102.97 9 209.11.240.115 8
61.152.239.150 8 211.185.208.65 8
209.82.176.43 8 209.215.20.79 8
209.161.170.208 8 209.12.135.83 8
204.141.115.75 6 61.235.154.104 6
222.88.60.22 5 209.7.49.222 4 84.56.28.102
4 67.10.6.128 4 218.172.117.90 4
218.108.175.109 4 212.194.206.163 4
211.175.182.185
50
Attack sources
36.dsli.com 43-176-82-209.g-net.net 56k.execulink.
com a.dns.kr adsl.alicedsl.de ariston.netcraft.com
biz.rr.com bumttx.swbell.net customer.vpls.net cy
dc.com.br d4.club-internet.fr dhcp.transact.bm dia
lup.rcn.com dip.t-dialin.net dns1.ntli.net dns1.xs
pedius.net dsl-xxx.arcor-ip.net dynamic.hinet.net
ev1s-xxx.ev1servers.net fbx.proxad.net guangzhou.g
d.cn
hosfio.org.ar hsia.telus.net in-addr.btopenworld.c
om jan.bellsouth.net jax.bellsouth.net jukebox.e-m
igrate.com k12.il.us kinc.cablerocket.net mesh.ad.
jp nosp3-xxx.i-55.com ns.cnmobile.net ns.uunet.ca
ns01.unicom-alaska.com ns1.apnic.net ns1.hzman.net
ns1.nac.net ns1.telehouse.com ns1.yipes.com nsf.a
lgx.net ocn.ne.jp odo.warpspeed.com
online.ln.cn prisoner.iana.org ptt.js.cn pubnet.ne
.kr res.rr.com rev.gaoland.net sdjnptt.net.cn snfc
21.pacbell.net sta.net.cn sunprairie.visionsystems
.tv tj.unn.no tor.primus.ca us.xo.net zjhzptt.net.
cn
51
What are these packets, and where do they come
from?
  • Infection packets from worms and viruses
  • Bot nets searching for new potential victims
  • Backscatter from hosts attacked with random
    spoofed source addresses
  • The last cry of dying hosts

52
Can IPv6 stop these kinds of attacks?
  • Sort of

53
Will this protect us from probing malware?
  • A little, but the short answer is no
  • Sniffing
  • Routing tables
  • 1

54
Dangerous idea
  • IP-address hopping as SOP

55
link /64
  • We are supposed to do special, host-specific
    things with the bottom 64 bits
  • 12 bits Ethernet
  • 1
  • Nonsense! How about a separate IP address for
    each conversation with the host
  • Every host is a network
  • Spread-spectrum, or frequency-hopping

56
This would break a lot of things
  • Flows
  • DHCP assumptions
  • Arp tables in the local router. Oops.
  • Dynamic ethernet address processing, no arp
    tables
  • Corporate asset management is an unaddressed
    problem, and an important need
  • Spooks care to where has that laptop connected
    before?

57
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com