1 of 75mapping the internet and intranets. 75 slides mapping the internet and intranets bill...
TRANSCRIPT
![Page 1: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/1.jpg)
1 of 75Mapping the Internet and Intranets
![Page 3: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/3.jpg)
3 of 75Mapping the Internet and Intranets
Motivations
• Intranets are out of control– Always have been
• Highlands “day after” scenario
• Panix DOS attacks– a way to trace
anonymous packets back!
• Internet tomography
• Curiosity about size and growth of the Internet
• Same tools are useful for understanding any large network, including intranets
![Page 4: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/4.jpg)
4 of 75Mapping the Internet and Intranets
Related Work
• See Martin Dodge’s cyber geography page
• MIDS - John Quarterman
• CAIDA - kc claffy
• Mercator
• “Measuring ISP topologies with rocketfuel” - 2002– Spring, Mahajan, Wetherall
• Enter “internet map” in your search engine
![Page 5: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/5.jpg)
5 of 75Mapping the Internet and Intranets
The Goals
• Long term reliable collection of Internet and Lucent connectivity information– without annoying
too many people
• Attempt some simple visualizations of the data
– movie of Internet growth!
• Develop tools to probe intranets
• Probe the distant corners of the Internet
![Page 6: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/6.jpg)
6 of 75Mapping the Internet and Intranets
Methods - data collection
• Single reliable host connected at the company perimeter
• Daily full scan of Lucent
• Daily partial scan of Internet, monthly full scan
• One line of text per network scanned– Unix tools
![Page 7: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/7.jpg)
7 of 75Mapping the Internet and Intranets
Methods - network scanning
• Obtain master network list– network lists from Merit, RIPE, APNIC, etc.– BGP data or routing data from customers– hand-assembled list of Yugoslavia/Bosnia
• Run a traceroute-style scan towards each network
• Stop on error, completion, no data– Keep the natives happy
![Page 8: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/8.jpg)
8 of 75Mapping the Internet and Intranets
TTL probes
• Used by traceroute and other tools
• Probes toward each target network with increasing TTL
• Probes are ICMP, UDP, TCP to port 80, 25, 139, etc.
• Some people block UDP, others ICMP
![Page 9: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/9.jpg)
9 of 75Mapping the Internet and Intranets
TTL probes
Application level
TCP/UDP
IP
Hardware
Client
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
Application level
TCP/UDP
IP
Hardware
Server
Hop 1 Hop 2 Hop 3
Hop 3Hop 4
![Page 10: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/10.jpg)
10 of 75Mapping the Internet and Intranets
Send a packet with a TTL of 1…
Application level
TCP/UDP
IP
Hardware
Client
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
Application level
TCP/UDP
IP
Hardware
Server
Hop 1 Hop 2 Hop 3
Hop 3Hop 4
![Page 11: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/11.jpg)
11 of 75Mapping the Internet and Intranets
…and we get the death notice from the first hop
Application level
TCP/UDP
IP
Hardware
Client
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
Application level
TCP/UDP
IP
Hardware
Server
Hop 1 Hop 2 Hop 3
Hop 3Hop 4
![Page 12: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/12.jpg)
12 of 75Mapping the Internet and Intranets
Send a packet with a TTL of 2…
Application level
TCP/UDP
IP
Hardware
Client
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
Application level
TCP/UDP
IP
Hardware
Server
Hop 1 Hop 2 Hop 3
Hop 3Hop 4
![Page 13: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/13.jpg)
13 of 75Mapping the Internet and Intranets
… and so on …
Application level
TCP/UDP
IP
Hardware
Client
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
Application level
TCP/UDP
IP
Hardware
Server
Hop 1 Hop 2 Hop 3
Hop 3Hop 4
![Page 14: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/14.jpg)
14 of 75Mapping the Internet and Intranets
Advantages
• We don’t need access (I.e. SNMP) to the routers
• It’s very fast
• Standard Internet tool: it doesn’t break things
• Insignificant load on the routers
• Not likely to show up on IDS reports
• We can probe with many packet types
![Page 15: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/15.jpg)
15 of 75Mapping the Internet and Intranets
Limitations
• Outgoing paths only
• Level 3 (IP) only– ATM networks appear as a single node– This distorts graphical analysis
• Not all routers respond
• Many routers limited to one response per second
![Page 16: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/16.jpg)
16 of 75Mapping the Internet and Intranets
Limitations
• View is from scanning host only
• Takes a while to collect alternating paths
• Gentle mapping means missed endpoints
• Imputes non-existent links
![Page 17: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/17.jpg)
17 of 75Mapping the Internet and Intranets
The data can go either way
A
E F
D
B C
![Page 18: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/18.jpg)
18 of 75Mapping the Internet and Intranets
The data can go either way
A
E F
D
B C
![Page 19: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/19.jpg)
19 of 75Mapping the Internet and Intranets
But our test packets only go part of the way
A
E F
D
B C
![Page 20: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/20.jpg)
20 of 75Mapping the Internet and Intranets
We record the hop…
A
E F
D
B C
![Page 21: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/21.jpg)
21 of 75Mapping the Internet and Intranets
The next probe happens to go the other way
A
E F
D
B C
![Page 22: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/22.jpg)
22 of 75Mapping the Internet and Intranets
…and we record the other hop…
A
E F
D
B C
![Page 23: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/23.jpg)
23 of 75Mapping the Internet and Intranets
We’ve imputed a link that doesn’t exist
A
E F
D
B C
![Page 24: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/24.jpg)
24 of 75Mapping the Internet and Intranets
Data collection complaints
• Australian parliament was the first to complain
• List of whiners (25 nets)
• Military noticed immediately– Steve Northcutt– arrangements/warnings to DISA and CERT
• These complaints are mostly a thing of the past– Internet background radiation
predominates
![Page 25: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/25.jpg)
25 of 75Mapping the Internet and Intranets
Visualization goals
• make a map– show interesting features– debug our database and collection
methods– hard to fold up
• geography doesn’t matter
• use colors to show further meaning
![Page 26: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/26.jpg)
26 of 75Mapping the Internet and Intranets
![Page 27: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/27.jpg)
27 of 75Mapping the Internet and Intranets
![Page 28: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/28.jpg)
28 of 75Mapping the Internet and Intranets
Infovis state-of-the-art in 1998
• 800 nodes was a huge graph
• We had 100,000 nodes
• Use spring-force simulation with lots of empirical tweaks
• Each layout needed 20 hours of Pentium time
![Page 29: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/29.jpg)
29 of 75Mapping the Internet and Intranets
![Page 30: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/30.jpg)
75 slides
Visualization of the layout algorithm
Laying out the Internet graph
![Page 31: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/31.jpg)
31 of 75Mapping the Internet and Intranets
![Page 32: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/32.jpg)
75 slides
Visualization of the layout algorithm
Laying out an intranet
![Page 33: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/33.jpg)
33 of 75Mapping the Internet and Intranets
![Page 34: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/34.jpg)
34 of 75Mapping the Internet and Intranets
A simplified map
• Minimum distance spanning tree uses 80% of the data
• Much easier visualization
• Most of the links still valid
• Redundancy is in the middle
![Page 35: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/35.jpg)
35 of 75Mapping the Internet and Intranets
Colored byAS number
![Page 36: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/36.jpg)
36 of 75Mapping the Internet and Intranets
Map Coloring
• distance from test host
• IP address– shows communities
• Geographical (by TLD)
• ISPs
• future– timing, firewalls, LSRR blocks
![Page 37: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/37.jpg)
37 of 75Mapping the Internet and Intranets
Colored by IP address!
![Page 38: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/38.jpg)
38 of 75Mapping the Internet and Intranets
Colored by geography
![Page 39: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/39.jpg)
39 of 75Mapping the Internet and Intranets
Colored by ISP
![Page 40: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/40.jpg)
40 of 75Mapping the Internet and Intranets
Colored by distancefrom scanning host
![Page 41: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/41.jpg)
41 of 75Mapping the Internet and Intranets
US militaryreached by ICMP ping
![Page 42: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/42.jpg)
42 of 75Mapping the Internet and Intranets
US military networksreached by UDP
![Page 43: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/43.jpg)
43 of 75Mapping the Internet and Intranets
![Page 44: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/44.jpg)
44 of 75Mapping the Internet and Intranets
![Page 45: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/45.jpg)
45 of 75Mapping the Internet and Intranets
History of the Project
• Started in August 1998 at Bell Labs
• April-June 1999: Yugoslavia mapping
• July 2000: first customer intranet scanned
• Sept. 2000: spun off Lumeta from Lucent/Bell Labs
![Page 46: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/46.jpg)
75 slides
Yugoslavia
An unclassified peek at a new battlefield
![Page 47: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/47.jpg)
47 of 75Mapping the Internet and Intranets
![Page 48: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/48.jpg)
75 slides
Un film par Steve “Hollywood” Branigan...
![Page 49: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/49.jpg)
49 of 75Mapping the Internet and Intranets
![Page 50: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/50.jpg)
75 slides
fin
![Page 51: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/51.jpg)
75 slides
Intranets: the rest of the Internet
![Page 52: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/52.jpg)
52 of 75Mapping the Internet and Intranets
The Pretty GoodWall of China
![Page 53: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/53.jpg)
53 of 75Mapping the Internet and Intranets
![Page 54: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/54.jpg)
54 of 75Mapping the Internet and Intranets
![Page 55: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/55.jpg)
55 of 75Mapping the Internet and Intranets
![Page 56: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/56.jpg)
56 of 75Mapping the Internet and Intranets
![Page 57: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/57.jpg)
57 of 75Mapping the Internet and Intranets
![Page 58: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/58.jpg)
58 of 75Mapping the Internet and Intranets
This wasSupposedTo be aVPN
![Page 59: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/59.jpg)
59 of 75Mapping the Internet and Intranets
![Page 60: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/60.jpg)
60 of 75Mapping the Internet and Intranets
![Page 61: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/61.jpg)
75 slides
Anything large enough to be called
an “intranet” isout of control
![Page 62: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/62.jpg)
62 of 75Mapping the Internet and Intranets
Case studies: corp. networksSome intranet statistics
Min MaxIntranet sizes (devices) 7,900 365,000Corporate address space 81,000 745,000,000% devices in unknown address space 0.01% 20.86%
% routers responding to "public" 0.14% 75.50%% routers responding to other 0.00% 52.00%
Outbound host leaks on network 0 176,000% devices with outbound ICMP leaks 0% 79%% devices with outbound UDP leaks 0% 82%
Inbound UDP host leaks 0 5,800% devices with inbound ICMP leaks 0% 11%% devices with inbound UDP leaks 0% 12%% hosts running Windows 36% 84%
![Page 63: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/63.jpg)
75 slides
Leak Detection
Lumeta’s “special sauce”
![Page 64: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/64.jpg)
64 of 75Mapping the Internet and Intranets
The second technology: host leak detection
• Developed to find hosts that have access to both intranet and Internet
• Or across any privilege boundary
• Leaking hosts do not route between the networks
• May be a dual-homed host
• Not always a bad thing
• Technology didn’t exist to find these
![Page 65: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/65.jpg)
65 of 75Mapping the Internet and Intranets
Possible host leaks
• Miss-configured telecommuters connecting remotely
• VPNs that are broken
• DMZ hosts with too much access
• Business partner networks
• Internet connections by rogue managers
• Modem links to ISPs
![Page 66: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/66.jpg)
66 of 75Mapping the Internet and Intranets
Leak results
• Found home web businesses
• At least two clients have tapped leaks– One made front page news
• From the military: “the republic is a little safer”
![Page 67: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/67.jpg)
67 of 75Mapping the Internet and Intranets
Leak Detection Prerequisites
• List of potential leakers: obtained by census
• Access to intranet
• Simultaneous availability of a “mitt”
![Page 68: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/68.jpg)
68 of 75Mapping the Internet and Intranets
Leak Detection Layout
Internet intranet
Mapping hostA
Test hostB
mittD
C
• Mapping host with address A is connected to the intranet
• Mitt with address D has Internet access
• Mapping host and mitt are currently the same host, with two interfaces
![Page 69: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/69.jpg)
69 of 75Mapping the Internet and Intranets
Leak Detection
Internet intranet
Mapping hostA
Test hostB
mittD
C
• Test host has known address B on the intranet
• It was found via census
• We are testing for unauthorized access to the Internet, possibly through a different address, C
![Page 70: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/70.jpg)
70 of 75Mapping the Internet and Intranets
Leak Detection
Internet intranet
Mapping hostA
Test hostB
mittD
C
• A sends packet to B, with spoofed return address of D
• If B can, it will reply to D with a response, possibly through a different interface
![Page 71: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/71.jpg)
71 of 75Mapping the Internet and Intranets
Leak Detection
Internet intranet
Mapping hostA
Test hostB
mittD
C
• Packet must be crafted so the response won’t be permitted through the firewall
• A variety of packet types and responses are used
• Either inside or outside address may be discovered
• Packet is labeled so we know where it came from
![Page 72: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/72.jpg)
72 of 75Mapping the Internet and Intranets
Inbound Leak Detection
Internet intranet
Mapping hostA
Test hostB
mittD
C
• This direction is usually more important
• It all depends on the site policy…
• …so many leaks might be just fine.
![Page 73: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/73.jpg)
73 of 75Mapping the Internet and Intranets
Inbound Leak Detection
Internet intranet
Mapping hostA
Test hostB
mittD
C
![Page 74: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/74.jpg)
74 of 75Mapping the Internet and Intranets
Honeyd – network emulation
• Anti-hacking tools by Niels Provos at citi.umich.edu
• Can respond as one or more hosts
• I am configuring it to look like an entire client’s network
• Useful for testing and debugging
• Product?
![Page 75: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/75.jpg)
75 of 75Mapping the Internet and Intranets
Some Lumeta lessons
• Reporting is the really hard part– Converting data to information
• “Tell me how we compare to other clients”
• Offering a service was good practice, for a while
• We have >70 Fortune-200 companies and government agencies as clients
![Page 76: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/76.jpg)
75 slides
Open questions and future work
![Page 77: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/77.jpg)
77 of 75Mapping the Internet and Intranets
How do you analyze a large graph over time?
• Five years of Internet data, mostly unanalyzed
• Alternate paths to a target country
• Sample insight: “Poland was off the Internet yesterday”
• Placement of monitoring tools?
• Compute a display differences between two complex graphs
![Page 78: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/78.jpg)
78 of 75Mapping the Internet and Intranets
Visualizations
• These graphs are too big for a piece of paper
• Various approaches available, but none really satisfactory
• Build visualization graph as the data comes in, and as the network evolves
![Page 79: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/79.jpg)
79 of 75Mapping the Internet and Intranets
![Page 81: 1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5516a356550346f0208b4d3c/html5/thumbnails/81.jpg)
81 of 75Mapping the Internet and Intranets