html5-img
1 / 137

Clear and Present Dangers

Clear and Present Dangers. Bill Cheswick Lumeta Corp. c hes@lumeta.com. Clear and Present Dangers. Perimeter Leaks Poor host security. Mapping the Internet and Intranets. Bill Cheswick ches@lumeta.com http://www.cheswick.com. Intranets are out of control Always have been

issac
Télécharger la présentation

Clear and Present Dangers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Clear and Present Dangers Bill Cheswick Lumeta Corp. ches@lumeta.com

  2. Clear and Present Dangers Perimeter Leaks Poor host security

  3. Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com http://www.cheswick.com

  4. Intranets are out of control Always have been Highlands “day after” scenario Panix DOS attacks a way to trace anonymous packets back! Internet tomography Curiosity about size and growth of the Internet Same tools are useful for understanding any large network, including intranets Motivations

  5. Related Work • See Martin Dodge’s cyber geography page • MIDS - John Quarterman • CAIDA - kc claffy • Mercator • “Measuring ISP topologies with rocketfuel” - 2002 • Spring, Mahajan, Wetherall • Enter “internet map” in your search engine

  6. Long term reliable collection of Internet and Lucent connectivity information without annoying too many people Attempt some simple visualizations of the data movie of Internet growth! Develop tools to probe intranets Probe the distant corners of the Internet The Goals

  7. Methods - data collection Single reliable host connected at the company perimeter Daily full scan of Lucent Daily partial scan of Internet, monthly full scan One line of text per network scanned Unix tools

  8. Methods - network scanning Obtain master network list network lists from Merit, RIPE, APNIC, etc. BGP data or routing data from customers hand-assembled list of Yugoslavia/Bosnia Run a traceroute-style scan towards each network Stop on error, completion, no data Keep the natives happy

  9. TTL probes Used by traceroute and other tools Probes toward each target network with increasing TTL Probes are ICMP, UDP, TCP to port 80, 25, 139, etc. Some people block UDP, others ICMP

  10. Server Client Application level Application level Router Router Router Router Router TCP/UDP TCP/UDP IP IP IP IP IP IP IP Hardware Hardware Hardware Hardware Hardware Hardware Hardware TTL probes Hop 3 Hop 1 Hop 2 Hop 4 Hop 3

  11. Server Client Application level Application level Router Router Router Router Router TCP/UDP TCP/UDP IP IP IP IP IP IP IP Hardware Hardware Hardware Hardware Hardware Hardware Hardware Send a packet with a TTL of 1… Hop 3 Hop 1 Hop 2 Hop 4 Hop 3

  12. Server Client Application level Application level Router Router Router Router Router TCP/UDP TCP/UDP IP IP IP IP IP IP IP Hardware Hardware Hardware Hardware Hardware Hardware Hardware …and we get the death notice from the first hop Hop 3 Hop 1 Hop 2 Hop 4 Hop 3

  13. Server Client Application level Application level Router Router Router Router Router TCP/UDP TCP/UDP IP IP IP IP IP IP IP Hardware Hardware Hardware Hardware Hardware Hardware Hardware Send a packet with a TTL of 2… Hop 3 Hop 1 Hop 2 Hop 4 Hop 3

  14. Server Client Application level Application level Router Router Router Router Router TCP/UDP TCP/UDP IP IP IP IP IP IP IP Hardware Hardware Hardware Hardware Hardware Hardware Hardware … and so on … Hop 3 Hop 1 Hop 2 Hop 4 Hop 3

  15. Advantages • We don’t need access (I.e. SNMP) to the routers • It’s very fast • Standard Internet tool: it doesn’t break things • Insignificant load on the routers • Not likely to show up on IDS reports • We can probe with many packet types

  16. Limitations • Outgoing paths only • Level 3 (IP) only • ATM networks appear as a single node • This distorts graphical analysis • Not all routers respond • Many routers limited to one response per second

  17. Limitations • View is from scanning host only • Takes a while to collect alternating paths • Gentle mapping means missed endpoints • Imputes non-existent links

  18. The data can go either way B C D A E F

  19. The data can go either way B C D A E F

  20. But our test packets only go part of the way B C D A E F

  21. We record the hop… B C D A E F

  22. The next probe happens to go the other way B C D A E F

  23. …and we record the other hop… B C D A E F

  24. We’ve imputed a link that doesn’t exist B C D A E F

  25. Data collection complaints Australian parliament was the first to complain List of whiners (25 nets) Military noticed immediately Steve Northcutt arrangements/warnings to DISA and CERT These complaints are mostly a thing of the past Internet background radiation predominates

  26. Visualization goals make a map show interesting features debug our database and collection methods hard to fold up geography doesn’t matter use colors to show further meaning

  27. Infovis state-of-the-art in 1998 • 800 nodes was a huge graph • We had 100,000 nodes • Use spring-force simulation with lots of empirical tweaks • Each layout needed 20 hours of Pentium time

  28. Visualization of the layout algorithm Laying out the Internet graph

  29. Visualization of the layout algorithm Laying out an intranet

  30. A simplified map • Minimum distance spanning tree uses 80% of the data • Much easier visualization • Most of the links still valid • Redundancy is in the middle

  31. Colored by AS number

  32. Map Coloring distance from test host IP address shows communities Geographical (by TLD) ISPs future timing, firewalls, LSRR blocks

  33. Colored by IP address!

  34. Colored by geography

  35. Colored by ISP

  36. Colored by distance from scanning host

  37. US military reached by ICMP ping

  38. US military networks reached by UDP

  39. Yugoslavia An unclassified peek at a new battlefield

  40. Un film par Steve “Hollywood” Branigan...

More Related