Mapping the Internet and Intranets

2. Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com http://www.cheswick.com

3. Intranets are out of control Always have been Highlands “day after” scenario Panix DOS attacks a way to trace anonymous packets back! Internet tomography Curiosity about size and growth of the Internet Same tools are useful for understanding any large network, including intranets Motivations

4. Related Work • See Martin Dodge’s cyber geography page • MIDS - John Quarterman • CAIDA - kc claffy • Mercator • “Measuring ISP topologies with rocketfuel” - 2002 • Spring, Mahajan, Wetherall • Enter “internet map” in your search engine

5. Long term reliable collection of Internet and Lucent connectivity information without annoying too many people Attempt some simple visualizations of the data movie of Internet growth! Develop tools to probe intranets Probe the distant corners of the Internet The Goals

6. Methods - data collection Single reliable host connected at the company perimeter Daily full scan of Lucent Daily partial scan of Internet, monthly full scan One line of text per network scanned Unix tools

7. Methods - network scanning Obtain master network list network lists from Merit, RIPE, APNIC, etc. BGP data or routing data from customers hand-assembled list of Yugoslavia/Bosnia Run a traceroute-style scan towards each network Stop on error, completion, no data Keep the natives happy

8. TTL probes Used by traceroute and other tools Probes toward each target network with increasing TTL Probes are ICMP, UDP, TCP to port 80, 25, 139, etc. Some people block UDP, others ICMP

9. Server Client Application level Application level Router Router Router Router Router TCP/UDP TCP/UDP IP IP IP IP IP IP IP Hardware Hardware Hardware Hardware Hardware Hardware Hardware TTL probes Hop 3 Hop 1 Hop 2 Hop 4 Hop 3

10. Server Client Application level Application level Router Router Router Router Router TCP/UDP TCP/UDP IP IP IP IP IP IP IP Hardware Hardware Hardware Hardware Hardware Hardware Hardware Send a packet with a TTL of 1… Hop 3 Hop 1 Hop 2 Hop 4 Hop 3

11. Server Client Application level Application level Router Router Router Router Router TCP/UDP TCP/UDP IP IP IP IP IP IP IP Hardware Hardware Hardware Hardware Hardware Hardware Hardware …and we get the death notice from the first hop Hop 3 Hop 1 Hop 2 Hop 4 Hop 3

12. Server Client Application level Application level Router Router Router Router Router TCP/UDP TCP/UDP IP IP IP IP IP IP IP Hardware Hardware Hardware Hardware Hardware Hardware Hardware Send a packet with a TTL of 2… Hop 3 Hop 1 Hop 2 Hop 4 Hop 3

13. Server Client Application level Application level Router Router Router Router Router TCP/UDP TCP/UDP IP IP IP IP IP IP IP Hardware Hardware Hardware Hardware Hardware Hardware Hardware … and so on … Hop 3 Hop 1 Hop 2 Hop 4 Hop 3

14. Advantages • We don’t need access (I.e. SNMP) to the routers • It’s very fast • Standard Internet tool: it doesn’t break things • Insignificant load on the routers • Not likely to show up on IDS reports • We can probe with many packet types

15. Limitations • Outgoing paths only • Level 3 (IP) only • ATM networks appear as a single node • This distorts graphical analysis • Not all routers respond • Many routers limited to one response per second

16. Limitations • View is from scanning host only • Takes a while to collect alternating paths • Gentle mapping means missed endpoints • Imputes non-existent links

17. The data can go either way B C D A E F

18. The data can go either way B C D A E F

19. But our test packets only go part of the way B C D A E F

20. We record the hop… B C D A E F

21. The next probe happens to go the other way B C D A E F

22. …and we record the other hop… B C D A E F

23. We’ve imputed a link that doesn’t exist B C D A E F

24. Data collection complaints Australian parliament was the first to complain List of whiners (25 nets) Military noticed immediately Steve Northcutt arrangements/warnings to DISA and CERT These complaints are mostly a thing of the past Internet background radiation predominates

25. Visualization goals make a map show interesting features debug our database and collection methods hard to fold up geography doesn’t matter use colors to show further meaning

28. Infovis state-of-the-art in 1998 • 800 nodes was a huge graph • We had 100,000 nodes • Use spring-force simulation with lots of empirical tweaks • Each layout needed 20 hours of Pentium time

30. Visualization of the layout algorithm Laying out the Internet graph

32. Visualization of the layout algorithm Laying out an intranet

34. A simplified map • Minimum distance spanning tree uses 80% of the data • Much easier visualization • Most of the links still valid • Redundancy is in the middle

35. Colored by AS number

36. Map Coloring distance from test host IP address shows communities Geographical (by TLD) ISPs future timing, firewalls, LSRR blocks

37. Colored by IP address!

38. Colored by geography

39. Colored by ISP

40. Colored by distance from scanning host

41. US military reached by ICMP ping

42. US military networks reached by UDP

45. History of the Project • Started in August 1998 at Bell Labs • April-June 1999: Yugoslavia mapping • July 2000: first customer intranet scanned • Sept. 2000: spun off Lumeta from Lucent/Bell Labs

46. Yugoslavia An unclassified peek at a new battlefield

48. Un film par Steve “Hollywood” Branigan...

50. fin