Mapping the Internet and Intranets - PowerPoint PPT Presentation

About This Presentation
Title:

Mapping the Internet and Intranets

Description:

Hardware. Router. IP. Hardware. Router. IP. Hardware. Router. Application level. TCP/UDP. IP. Hardware. Server. Hop 1. Hop 2. Hop 3. Hop 3. Hop 4. 12 of 137 ... – PowerPoint PPT presentation

Number of Views:110
Avg rating:3.0/5.0
Slides: 138
Provided by: billch
Category:

less

Transcript and Presenter's Notes

Title: Mapping the Internet and Intranets


1
(No Transcript)
2
Clear and Present Dangers
  • Bill Cheswick
  • Lumeta Corp.
  • ches_at_lumeta.com

3
Clear and Present Dangers
  • Perimeter Leaks
  • Poor host security

4
Mapping the Internet and Intranets
  • Bill Cheswick
  • ches_at_lumeta.com
  • http//www.cheswick.com

5
Motivations
  • Intranets are out of control
  • Always have been
  • Highlands day after scenario
  • Panix DOS attacks
  • a way to trace anonymous packets back!
  • Internet tomography
  • Curiosity about size and growth of the Internet
  • Same tools are useful for understanding any large
    network, including intranets

6
Related Work
  • See Martin Dodges cyber geography page
  • MIDS - John Quarterman
  • CAIDA - kc claffy
  • Mercator
  • Measuring ISP topologies with rocketfuel - 2002
  •   Spring, Mahajan, Wetherall
  • Enter internet map in your search engine

7
The Goals
  • Long term reliable collection of Internet and
    Lucent connectivity information
  • without annoying too many people
  • Attempt some simple visualizations of the data
  • movie of Internet growth!
  • Develop tools to probe intranets
  • Probe the distant corners of the Internet

8
Methods - data collection
  • Single reliable host connected at the company
    perimeter
  • Daily full scan of Lucent
  • Daily partial scan of Internet, monthly full scan
  • One line of text per network scanned
  • Unix tools

9
Methods - network scanning
  • Obtain master network list
  • network lists from Merit, RIPE, APNIC, etc.
  • BGP data or routing data from customers
  • hand-assembled list of Yugoslavia/Bosnia
  • Run a traceroute-style scan towards each network
  • Stop on error, completion, no data
  • Keep the natives happy

10
TTL probes
  • Used by traceroute and other tools
  • Probes toward each target network with increasing
    TTL
  • Probes are ICMP, UDP, TCP to port 80, 25, 139,
    etc.
  • Some people block UDP, others ICMP

11
TTL probes
Hop 3
Hop 1
Hop 2
Hop 4
Hop 3
12
Send a packet with a TTL of 1
Hop 3
Hop 1
Hop 2
Hop 4
Hop 3
13
and we get the death notice from the first hop
Hop 3
Hop 1
Hop 2
Hop 4
Hop 3
14
Send a packet with a TTL of 2
Hop 3
Hop 1
Hop 2
Hop 4
Hop 3
15
and so on
Hop 3
Hop 1
Hop 2
Hop 4
Hop 3
16
Advantages
  • We dont need access (I.e. SNMP) to the routers
  • Its very fast
  • Standard Internet tool it doesnt break things
  • Insignificant load on the routers
  • Not likely to show up on IDS reports
  • We can probe with many packet types

17
Limitations
  • Outgoing paths only
  • Level 3 (IP) only
  • ATM networks appear as a single node
  • This distorts graphical analysis
  • Not all routers respond
  • Many routers limited to one response per second

18
Limitations
  • View is from scanning host only
  • Takes a while to collect alternating paths
  • Gentle mapping means missed endpoints
  • Imputes non-existent links

19
The data can go either way
B
C
D
A
E
F
20
The data can go either way
B
C
D
A
E
F
21
But our test packets only go part of the way
B
C
D
A
E
F
22
We record the hop
B
C
D
A
E
F
23
The next probe happens to go the other way
B
C
D
A
E
F
24
and we record the other hop
B
C
D
A
E
F
25
Weve imputed a link that doesnt exist
B
C
D
A
E
F
26
Data collection complaints
  • Australian parliament was the first to complain
  • List of whiners (25 nets)
  • Military noticed immediately
  • Steve Northcutt
  • arrangements/warnings to DISA and CERT
  • These complaints are mostly a thing of the past
  • Internet background radiation predominates

27
Visualization goals
  • make a map
  • show interesting features
  • debug our database and collection methods
  • hard to fold up
  • geography doesnt matter
  • use colors to show further meaning

28
(No Transcript)
29
(No Transcript)
30
Infovis state-of-the-art in 1998
  • 800 nodes was a huge graph
  • We had 100,000 nodes
  • Use spring-force simulation with lots of
    empirical tweaks
  • Each layout needed 20 hours of Pentium time

31
(No Transcript)
32
Visualization of the layout algorithm
  • Laying out the Internet graph

33
(No Transcript)
34
Visualization of the layout algorithm
  • Laying out an intranet

35
(No Transcript)
36
A simplified map
  • Minimum distance spanning tree uses 80 of the
    data
  • Much easier visualization
  • Most of the links still valid
  • Redundancy is in the middle

37
Colored by AS number
38
Map Coloring
  • distance from test host
  • IP address
  • shows communities
  • Geographical (by TLD)
  • ISPs
  • future
  • timing, firewalls, LSRR blocks

39
Colored by IP address!
40
Colored by geography
41
Colored by ISP
42
Colored by distance from scanning host
43
US military reached by ICMP ping
44
US military networks reached by UDP
45
(No Transcript)
46
(No Transcript)
47
Yugoslavia
  • An unclassified peek at a new battlefield

48
(No Transcript)
49
Un film par Steve Hollywood Branigan...
50
(No Transcript)
51
fin
52
Routers in New York Citymissing generator fuel
53
Intranets
54
We partition our networks to get out of the game
  • Companies, governments, departments, even
    families hide in enclaves to limit connectivity
    to approved services
  • These are called intranets
  • The decentralized, cloud-like nature of internets
    makes them hard to manage at a central point
  • My company explores the extent of intranets and
    their interconnections with other networks.

55
Intranets the rest of the Internet
56
(No Transcript)
57
(No Transcript)
58
(No Transcript)
59
(No Transcript)
60
(No Transcript)
61
This was Supposed To be a VPN
62
(No Transcript)
63
(No Transcript)
64
Anything large enough to be called an intranet
isout of control
65
Case studies corp. networksSome intranet
statistics
66
Leak Detection
Mapping host
mitt
  • A sends packet to B, with spoofed return address
    of D
  • If B can, it will reply to D with a response,
    possibly through a different interface

A
D
Internet
intranet
C
B
Test host
67
Leak Detection
Mapping host
mitt
  • Packet must be crafted so the response wont be
    permitted through the firewall
  • A variety of packet types and responses are used
  • Either inside or outside address may be
    discovered
  • Packet is labeled so we know where it came from

A
D
Internet
intranet
C
B
Test host
68
Existence proofs of intranet leaks the slammer
worm
  • Its a pop-quiz on perimeter integrity
  • The best run networks (e.g. spooks nets) do not
    get these plagues
  • Internal hosts may be susceptible

69
Some Lumeta lessons
  • Reporting is the really hard part
  • Converting data to information
  • Tell me how we compare to other clients
  • Offering a service was good practice, for a while
  • The clients want a device
  • We have gt70 Fortune-200 companies and government
    agencies as clients
  • Need-to-have vs. want-to-have

70
Honeyd network emulation
  • Anti-hacking tools by Niels Provos at
    citi.umich.edu
  • Can respond as one or more hosts
  • I am configuring it to look like an entire
    clients network
  • Useful for testing and debugging
  • Product?

71
History of the Project
  • Started in August 1998 at Bell Labs
  • April-June 1999 Yugoslavia mapping
  • July 2000 first customer intranet scanned
  • Sept. 2000 spun off Lumeta from Lucent/Bell Labs
  • June 2002 B round funding completed
  • 2003 sales gt4MM

72
(No Transcript)
73
Mapping the Internet and Intranets
  • Bill Cheswick
  • ches_at_lumeta.com
  • http//www.cheswick.com

74
My Dads Computer and the Future of Internet
Security
  • Bill Cheswick
  • ches_at_lumeta.com
  • http//www.lumeta.com

75
(No Transcript)
76
My Dads computer
  • Skinny-dipping with Microsoft

77
Case studyMy Dads computer
  • Windows XP, plenty of horsepower, two screens
  • Applications
  • Email (Outlook)
  • Bridge a fancy stock market monitoring system
  • AIM

78
Case studyMy Dads computer
  • Cable access
  • dynamic IP address
  • no NAT
  • no firewall
  • outdated virus software
  • no spyware checker

79
This computer was a software toxic waste dump
  • It was burning a liter of oil every 500 km
  • The popups seemed darned distracting to me

80
My Dads computer what the repair geek found
  • Everything
  • Viruses Ive never heard off
  • Constant popups
  • Frequent blasts of multiple web pages, all
    obscene
  • Dad why do I care? I am getting my work done

81
Dads computer how did he get in this mess?
  • He doesnt know what the popup security messages
    mean
  • Email-born viruses
  • Unsecured network services
  • Executable code in web pages from unworthy sites

82
He is getting his work done
  • Didnt want a system administrator to mess up his
    user interface settings
  • Truly destructive attacks are rare
  • They arent lucrative or much fun
  • They are self-limiting

83
Recently
  • An alien G-rated screen saver for an X-rated site
    appeared
  • Changing the screen saver worked!
  • The screen saver software removed in the correct
    way!
  • Still, this should never have happened

84
Skinny Dipping on the Internet
85
Ive been skinny dipping on the Internet for years
  • FreeBSD and Linux hosts
  • Very few, very hardened network services
  • Single-user hosts
  • Dangerous services placed in sandboxes
  • No known breakins
  • No angst

86
Best block is not be there
  • -Karate Kid

87
Angst and the Morris Worm
  • Did the worm get past my firewall?
  • No. Why?
  • Partly smart design
  • Partly luckremoving fingerd
  • Peace of mind comes from staying out of the
    battle altogether

88
Youve got to get out of the game
  • -Fred Grampp

89
Can my Dad (and millions like him) get out of the
game?
90
Arms Races
91
Virus arms race
  • Early on, detectors used viral signatures
  • Virus encryption and recompilation (!) has
    thwarted this
  • Virus detectors now simulate the code, looking
    for signature actions
  • Virus writers now detect emulation and behave
    differently
  • Virus emulators are slowing down, even with
    Moores Law.

92
Virus arms race
  • I suspect that virus writers are going to win the
    detection battle, if they havent already
  • Emulation may become too slow
  • Even though we have the home-field advantage
  • Will we know if an undetectable virus is
    released?
  • Best defense is to get out of the game.
  • Dont run portable programs, or
  • Improve our sandbox technology
  • People who really care about this worry about Ken
    Thompsons attack
  • Read and understand On Trusting Trust

93
Getting out of the virus game
  • Dont execute roving programs of unknown
    provenance
  • Trusted Computing can fix the problem, in theory

94
Password sniffing and cracking arms race
  • Ethernet has always been sniffable
  • WiFi is the new Ethernet

95
Password sniffing and cracking arms race
  • Password cracking works 3 to 60 of the time
    using offline dictionary attacks
  • More, if the hashing is misdesigned (c.f.
    Microsoft)
  • This will never get better, so
  • We have to get out of the game

96
Password sniffing and cracking arms race
  • This battle is mostly won, thanks to SSL, IP/SEC,
    and VPNs.
  • There are many successful businesses using these
    techniques nicely.

97
Password sniffing is not a problem for Dad
  • SSL fixes most of it
  • AIM is interceptible
  • Fixablewill it be?

98
Authentication/Identification Arms races
  • Password/PIN selection vs. cracking
  • Human-chosen passwords and PINs can be ok if
    guessing is limited, and obvious choices are
    suppressed
  • Password cracking is getting better, thanks to
    Moores Law and perhaps even botnets

99
We dont know how to leave the user in charge of
security decisions, safely.
100
User education vs. user deception
  • We will continue losing this one
  • Even experts sometimes dont understand the
    ramifications of choices they are offered

101
Authentication arms racepredictions
  • USA needs two factor authentication for social
    security number. (Something better than MMN or
    birth date.)
  • I dont see this improving much, but a global USB
    dongle would do it
  • Dont wait for world-wide PKI.

102
Arms race (sort of)hardware destruction
  • IBM monochrome monitor
  • Some more recent monitors
  • Current ones?
  • Hard drives? Beat the heads up?
  • EEPROM write limits
  • Viral attack on .cn and .kr PC motherboards
  • Other equipment
  • Anything that requires a hardware on-site service
    call

103
Arms race (sort of)hardware destruction
  • Rendering the firmware useless
  • This can be fixed (mostly) with a secure trusted
    computing base.

104
Software upgrade race literally a race
  • Patches are analyzed to determine the weakness
  • Patch-to-exploit time is now down below 10 hours
  • NB spammers have incentive to do this work
  • Now the good guys are trying to obfuscate code!
  • Future difficult to say dark side obscures
    everything.

105
Arms Races deception
  • Jails
  • Cliff Stoll and SDInet
  • Honeypots
  • Honeynet
  • honeyd
  • The deception toolkit---Fred Cohen

106
Microsoft client security
  • It has been getting worse can they skinny-dip
    safely?

107
Windows ME
Active Connections - Win ME Proto Local
Address Foreign Address State
TCP 127.0.0.11032 0.0.0.00
LISTENING TCP 223.223.223.10139
0.0.0.00 LISTENING UDP
0.0.0.01025
UDP 0.0.0.01026
UDP 0.0.0.031337
UDP 0.0.0.0162
UDP 223.223.223.10137
UDP
223.223.223.10138
108
Windows 2000
Proto Local Address Foreign Address
State TCP 0.0.0.0135
0.0.0.00 LISTENING TCP
0.0.0.0445 0.0.0.00
LISTENING TCP 0.0.0.01029
0.0.0.00 LISTENING TCP
0.0.0.01036 0.0.0.00
LISTENING TCP 0.0.0.01078
0.0.0.00 LISTENING TCP
0.0.0.01080 0.0.0.00
LISTENING TCP 0.0.0.01086
0.0.0.00 LISTENING TCP
0.0.0.06515 0.0.0.00
LISTENING TCP 127.0.0.1139
0.0.0.00 LISTENING UDP
0.0.0.0445
UDP 0.0.0.01038
UDP 0.0.0.06514
UDP 0.0.0.06515
UDP 127.0.0.11108
UDP
223.223.223.96500
UDP 223.223.223.964500

109
Windows XP, this laptop
Proto Local Address Foreign Address
State TCP ches-pcepmap
ches-pc0 LISTENING TCP
ches-pcmicrosoft-ds ches-pc0
LISTENING TCP ches-pc1025
ches-pc0 LISTENING TCP
ches-pc1036 ches-pc0
LISTENING TCP ches-pc3115
ches-pc0 LISTENING TCP
ches-pc3118 ches-pc0
LISTENING TCP ches-pc3470
ches-pc0 LISTENING TCP
ches-pc3477 ches-pc0
LISTENING TCP ches-pc5000
ches-pc0 LISTENING TCP
ches-pc6515 ches-pc0
LISTENING TCP ches-pcnetbios-ssn
ches-pc0 LISTENING TCP
ches-pc3001 ches-pc0
LISTENING TCP ches-pc3002
ches-pc0 LISTENING TCP
ches-pc3003 ches-pc0
LISTENING TCP ches-pc5180
ches-pc0 LISTENING UDP
ches-pcmicrosoft-ds
UDP ches-pcisakmp
UDP ches-pc1027
UDP ches-pc3008
UDP ches-pc3473
UDP ches-pc6514
UDP
ches-pc6515
UDP ches-pcnetbios-ns
UDP ches-pcnetbios-dgm
UDP ches-pc1900
UDP ches-pcntp
UDP ches-pc1900
UDP
ches-pc3471
110
FreeBSD partition, this laptop(getting out of
the game)
Active Internet connections (including
servers) Proto Recv-Q Send-Q Local Address
tcp4 0 0 .22
tcp6 0 0 .22
111
It is easy to dump on Microsoft, but many others
have made the same mistakes before
112
Default servicesSGI workstation
ftp stream tcp nowait root
/v/gate/ftpd telnet stream tcp nowait root
/usr/etc/telnetd shell stream tcp
nowait root /usr/etc/rshd login stream tcp
nowait root /usr/etc/rlogind exec
stream tcp nowait root /usr/etc/rexecd
finger stream tcp nowait guest
/usr/etc/fingerd bootp dgram udp wait
root /usr/etc/bootp tftp dgram udp
wait guest /usr/etc/tftpd ntalk dgram
udp wait root /usr/etc/talkd tcpmux
stream tcp nowait root internal echo
stream tcp nowait root internal discard
stream tcp nowait root internal chargen
stream tcp nowait root internal daytime
stream tcp nowait root internal time
stream tcp nowait root internal echo
dgram udp wait root internal discard
dgram udp wait root internal chargen
dgram udp wait root internal daytime
dgram udp wait root internal time
dgram udp wait root internal sgi-dgl
stream tcp nowait root/rcv dgld uucp
stream tcp nowait root
/usr/lib/uucp/uucpd
113
More default services
mountd/1 stream rpc/tcp wait/lc root
rpc.mountd mountd/1 dgram rpc/udp wait/lc
root rpc.mountd sgi_mountd/1 stream rpc/tcp
wait/lc root rpc.mountd sgi_mountd/1 dgram
rpc/udp wait/lc root rpc.mountd rstatd/1-3
dgram rpc/udp wait root rpc.rstatd
walld/1 dgram rpc/udp wait root
rpc.rwalld rusersd/1 dgram rpc/udp wait
root rpc.rusersd rquotad/1 dgram rpc/udp
wait root rpc.rquotad sprayd/1 dgram
rpc/udp wait root rpc.sprayd
bootparam/1 dgram rpc/udp wait root
rpc.bootparamd sgi_videod/1 stream rpc/tcp wait
root ?videod sgi_fam/1 stream
rpc/tcp wait root ?fam
sgi_snoopd/1 stream rpc/tcp wait root
?rpc.snoopd sgi_pcsd/1 dgram rpc/udp wait
root ?cvpcsd sgi_pod/1 stream rpc/tcp
wait root ?podd tcpmux/sgi_scanner
stream tcp nowait root ?scan/net/scannerd tcp
mux/sgi_printer stream tcp nowait root
?print/printerd 9fs stream tcp
nowait root /v/bin/u9fs u9fs webproxy
stream tcp nowait root
/usr/local/etc/webserv
114
Firewalls and intranets try to get us out of the
network services vulnerability game
115
(No Transcript)
116
What my dad(and most of you)really needs
117
Most of my Dads problems are caused by
weaknesses in features he never uses or needs.
118
A proposalWindows OK
119
Windows OK
  • Thin client implemented with Windows
  • It would be fine for maybe half the Windows users
  • Students, consumers, many corporate and
    government users
  • It would be reasonable to skinny dip with this
    client
  • Without firewall or virus checking software

120
Windows OK
  • No network listeners
  • None of those services are needed, except admin
    access for centrally-administered hosts
  • Default security settings
  • All security controls in one or two places
  • Security settings can be locked

121
Windows OK (cont)
  • There should be nothing you can click on, in
    email or a web page, that can hurt your computer
  • No portable programs are executed ever, except
  • ActiveX from approved parties
  • MSFT and one or two others. List is lockable

122
Windows OK
  • Reduce privileges in servers and all programs
  • Sandbox programs
  • Belt and suspenders

123
Office OK
  • No macros in Word or PowerPoint. No executable
    code in PowerPoint files
  • The only macros allowed in Excel perform
    arithmetic. They cannot create files, etc.

124
Vulnerabilities in OK
  • Buffer overflows in processing of data (not from
    the network)
  • Stop adding new features and focus on bug fixes
  • Programmers can clean up bugs, if they dont have
    a moving target
  • It converges, to some extent

125
XP SP2
  • Bill Gets It

126
Microsofts Augean Stablesa task for Hercules
  • 3000 oxen, 30 years, thats roughly one oxen-day
    per line of code in Windows
  • Its been getting worse since Windows 95

127
XP SP2 Bill gets it
  • a feature you dont use should not be a security
    problem for you.
  • Security by design
  • Too late for that, its all retrofitting now
  • Security by default
  • No network services on by default
  • Security control panel
  • Many things missing from it
  • Speaker could not find ActiveX security settings
  • There are a lot of details that remain to be seen.

128
Microsoft really means it about improving their
security
  • Their security commitment appears to be real
  • It is a huge job
  • Opposing forces are unclear to me
  • Its been a long time coming, and frustrating

129
Microsoft secure client arms race
  • We are likely to win, but it is going to be a
    while

130
SP2 isnt going to be easy to deploy
  • Many people rely on unsafe configurations, even
    if they dont realize it
  • Future SPs wont be easy either, especially if
    they follow my advice

131
Windows XP SP2
  • Candidate 2 release is available
  • Read the EULAit is interesting and a bit
    different

132
(No Transcript)
133
(No Transcript)
134
SP2 is just a start more work is needed
  • Security panel and ActiveX permissions
  • Also, list of trusted signers needed
  • Still too many network services
  • They may not be reachable from outside the box
  • Clicking may still be dangerous

135
Conclusions we ought to win these battles
  • We control the playing field
  • DOS is the worse they can do, in theory
  • We can replicate our successes
  • We can converge on a secure-enough environment

136
Conclusions problems
  • The business models to achieve these successes
    seem surprisingly elusive to me
  • Security devices, and stand-alone devices, are
    close to meeting our needs
  • Except full-functioned routers
  • General purpose computers are the big problem
  • Apparently features are more important than
    security, to the customers
  • Is this really true?

137
My Dads Computer and the Future of Internet
Security
  • Bill Cheswick
  • ches_at_lumeta.com
  • http//www.lumeta.com
Write a Comment
User Comments (0)
About PowerShow.com