Download presentation
Presentation is loading. Please wait.
1
1 of 137Internet Mapping, Columbia
2
137 slides Clear and Present Dangers Bill Cheswick Lumeta Corp. ches@lumeta.comhes@lumeta.com
3
137 slides Clear and Present Dangers Perimeter Leaks Poor host security
4
137 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com http://www.cheswick.com
5
5 of 137Internet Mapping, Columbia Motivations Intranets are out of control – Always have been Highlands “day after” scenario Panix DOS attacks – a way to trace anonymous packets back! Internet tomography Curiosity about size and growth of the Internet Same tools are useful for understanding any large network, including intranets
6
6 of 137Internet Mapping, Columbia Related Work See Martin Dodge’s cyber geography page MIDS - John Quarterman CAIDA - kc claffy Mercator “ Measuring ISP topologies with rocketfuel ” - 2002 – Spring, Mahajan, WetherallSpringMahajanWetherall Enter “internet map” in your search engine
7
7 of 137Internet Mapping, Columbia The Goals Long term reliable collection of Internet and Lucent connectivity information – without annoying too many people Attempt some simple visualizations of the data – movie of Internet growth! Develop tools to probe intranets Probe the distant corners of the Internet
8
8 of 137Internet Mapping, Columbia Methods - data collection Single reliable host connected at the company perimeter Daily full scan of Lucent Daily partial scan of Internet, monthly full scan One line of text per network scanned – Unix tools
9
9 of 137Internet Mapping, Columbia Methods - network scanning Obtain master network list – network lists from Merit, RIPE, APNIC, etc. – BGP data or routing data from customers – hand-assembled list of Yugoslavia/Bosnia Run a traceroute-style scan towards each network Stop on error, completion, no data – Keep the natives happy
10
10 of 137Internet Mapping, Columbia TTL probes Used by traceroute and other tools Probes toward each target network with increasing TTL Probes are ICMP, UDP, TCP to port 80, 25, 139, etc. Some people block UDP, others ICMP
11
11 of 137Internet Mapping, Columbia TTL probes Application level TCP/UDP IP Hardware Client IP Hardware Router IP Hardware Router IP Hardware Router IP Hardware Router IP Hardware Router Application level TCP/UDP IP Hardware Server Hop 1Hop 2 Hop 3 Hop 4
12
12 of 137Internet Mapping, Columbia Send a packet with a TTL of 1… Application level TCP/UDP IP Hardware Client IP Hardware Router IP Hardware Router IP Hardware Router IP Hardware Router IP Hardware Router Application level TCP/UDP IP Hardware Server Hop 1Hop 2 Hop 3 Hop 4
13
13 of 137Internet Mapping, Columbia …and we get the death notice from the first hop Application level TCP/UDP IP Hardware Client IP Hardware Router IP Hardware Router IP Hardware Router IP Hardware Router IP Hardware Router Application level TCP/UDP IP Hardware Server Hop 1Hop 2 Hop 3 Hop 4
14
14 of 137Internet Mapping, Columbia Send a packet with a TTL of 2… Application level TCP/UDP IP Hardware Client IP Hardware Router IP Hardware Router IP Hardware Router IP Hardware Router IP Hardware Router Application level TCP/UDP IP Hardware Server Hop 1Hop 2 Hop 3 Hop 4
15
15 of 137Internet Mapping, Columbia … and so on … Application level TCP/UDP IP Hardware Client IP Hardware Router IP Hardware Router IP Hardware Router IP Hardware Router IP Hardware Router Application level TCP/UDP IP Hardware Server Hop 1Hop 2 Hop 3 Hop 4
16
16 of 137Internet Mapping, Columbia Advantages We don’t need access (I.e. SNMP) to the routers It’s very fast Standard Internet tool: it doesn’t break things Insignificant load on the routers Not likely to show up on IDS reports We can probe with many packet types
17
17 of 137Internet Mapping, Columbia Limitations Outgoing paths only Level 3 (IP) only – ATM networks appear as a single node – This distorts graphical analysis Not all routers respond Many routers limited to one response per second
18
18 of 137Internet Mapping, Columbia Limitations View is from scanning host only Takes a while to collect alternating paths Gentle mapping means missed endpoints Imputes non-existent links
19
19 of 137Internet Mapping, Columbia The data can go either way A EF D BC
20
20 of 137Internet Mapping, Columbia The data can go either way A EF D BC
21
21 of 137Internet Mapping, Columbia But our test packets only go part of the way A EF D BC
22
22 of 137Internet Mapping, Columbia We record the hop… A EF D BC
23
23 of 137Internet Mapping, Columbia The next probe happens to go the other way A EF D BC
24
24 of 137Internet Mapping, Columbia …and we record the other hop… A EF D BC
25
25 of 137Internet Mapping, Columbia We’ve imputed a link that doesn’t exist A EF D BC
26
26 of 137Internet Mapping, Columbia Data collection complaints Australian parliament was the first to complain List of whiners (25 nets) Military noticed immediately – Steve Northcutt – arrangements/warnings to DISA and CERT These complaints are mostly a thing of the past – Internet background radiation predominates
27
27 of 137Internet Mapping, Columbia Visualization goals make a map – show interesting features – debug our database and collection methods – hard to fold up geography doesn’t matter use colors to show further meaning
28
28 of 137Internet Mapping, Columbia
29
29 of 137Internet Mapping, Columbia
30
30 of 137Internet Mapping, Columbia Infovis state-of-the-art in 1998 800 nodes was a huge graph We had 100,000 nodes Use spring-force simulation with lots of empirical tweaks Each layout needed 20 hours of Pentium time
31
31 of 137Internet Mapping, Columbia
32
137 slides Visualization of the layout algorithm Laying out the Internet graph
33
33 of 137Internet Mapping, Columbia
34
137 slides Visualization of the layout algorithm Laying out an intranet
35
35 of 137Internet Mapping, Columbia
36
36 of 137Internet Mapping, Columbia A simplified map Minimum distance spanning tree uses 80% of the data Much easier visualization Most of the links still valid Redundancy is in the middle
37
37 of 137Internet Mapping, Columbia Colored by AS number
38
38 of 137Internet Mapping, Columbia Map Coloring distance from test host IP address – shows communities Geographical (by TLD) ISPs future – timing, firewalls, LSRR blocks
39
39 of 137Internet Mapping, Columbia Colored by IP address!
40
40 of 137Internet Mapping, Columbia Colored by geography
41
41 of 137Internet Mapping, Columbia Colored by ISP
42
42 of 137Internet Mapping, Columbia Colored by distance from scanning host
43
43 of 137Internet Mapping, Columbia US military reached by ICMP ping
44
44 of 137Internet Mapping, Columbia US military networks reached by UDP
45
45 of 137Internet Mapping, Columbia
46
46 of 137Internet Mapping, Columbia
47
137 slides Yugoslavia An unclassified peek at a new battlefield
48
48 of 137Internet Mapping, Columbia
49
137 slides Un film par Steve “Hollywood” Branigan...
50
50 of 137Internet Mapping, Columbia
51
137 slides fin
52
52 of 137Internet Mapping, Columbia Routers in New York City missing generator fuel
53
137 slides Intranets
54
54 of 137Internet Mapping, Columbia We partition our networks to get out of the game Companies, governments, departments, even families hide in enclaves to limit connectivity to approved services These are called intranets The decentralized, cloud-like nature of internets makes them hard to manage at a central point My company explores the extent of intranets and their interconnections with other networks.
55
137 slides Intranets: the rest of the Internet
56
56 of 137Internet Mapping, Columbia
57
57 of 137Internet Mapping, Columbia
58
58 of 137Internet Mapping, Columbia
59
59 of 137Internet Mapping, Columbia
60
60 of 137Internet Mapping, Columbia
61
61 of 137Internet Mapping, Columbia This was Supposed To be a VPN
62
62 of 137Internet Mapping, Columbia
63
63 of 137Internet Mapping, Columbia
64
137 slides Anything large enough to be called an “intranet” is out of control
65
65 of 137Internet Mapping, Columbia Case studies: corp. networks Some intranet statistics
66
66 of 137Internet Mapping, Columbia Leak Detection Internet intranet Mapping host A Test host B mitt D C A sends packet to B, with spoofed return address of D If B can, it will reply to D with a response, possibly through a different interface
67
67 of 137Internet Mapping, Columbia Leak Detection Internet intranet Mapping host A Test host B mitt D C Packet must be crafted so the response won’t be permitted through the firewall A variety of packet types and responses are used Either inside or outside address may be discovered Packet is labeled so we know where it came from
68
68 of 137Internet Mapping, Columbia Existence proofs of intranet leaks: the slammer worm It’s a pop-quiz on perimeter integrity The best run networks (e.g. spooks’ nets) do not get these plagues – Internal hosts may be susceptible
69
69 of 137Internet Mapping, Columbia Some Lumeta lessons Reporting is the really hard part – Converting data to information “Tell me how we compare to other clients” Offering a service was good practice, for a while The clients want a device We have >70 Fortune-200 companies and government agencies as clients Need-to-have vs. want-to-have
70
70 of 137Internet Mapping, Columbia Honeyd – network emulation Anti-hacking tools by Niels Provos at citi.umich.edu Can respond as one or more hosts I am configuring it to look like an entire client’s network Useful for testing and debugging Product?
71
71 of 137Internet Mapping, Columbia History of the Project Started in August 1998 at Bell Labs April-June 1999: Yugoslavia mapping July 2000: first customer intranet scanned Sept. 2000: spun off Lumeta from Lucent/Bell Labs June 2002: “B” round funding completed 2003: sales >$4MM
72
72 of 137Internet Mapping, Columbia
73
137 slides Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com http://www.cheswick.com
74
137 slides My Dad’s Computer and the Future of Internet Security Bill Cheswick ches@lumeta.com http://www.lumeta.com
75
75 of 137Internet Mapping, Columbia
76
137 slides My Dad’s computer Skinny-dipping with Microsoft
77
77 of 137Internet Mapping, Columbia Case study: My Dad’s computer Windows XP, plenty of horsepower, two screens Applications: – Email (Outlook) – “Bridge:” a fancy stock market monitoring system – AIM
78
78 of 137Internet Mapping, Columbia Case study: My Dad’s computer Cable access dynamic IP address no NAT no firewall outdated virus software no spyware checker
79
79 of 137Internet Mapping, Columbia This computer was a software toxic waste dump It was burning a liter of oil every 500 km The popups seemed darned distracting to me
80
80 of 137Internet Mapping, Columbia My Dad’s computer: what the repair geek found Everything “Viruses I’ve never heard off” Constant popups Frequent blasts of multiple web pages, all obscene Dad: why do I care? I am getting my work done
81
81 of 137Internet Mapping, Columbia Dad’s computer: how did he get in this mess? He doesn’t know what the popup security messages mean Email-born viruses Unsecured network services Executable code in web pages from unworthy sites
82
82 of 137Internet Mapping, Columbia He is getting his work done Didn’t want a system administrator to mess up his user interface settings Truly destructive attacks are rare – They aren’t lucrative or much fun – They are self-limiting
83
83 of 137Internet Mapping, Columbia Recently An alien G-rated screen saver for an X-rated site appeared Changing the screen saver worked! The screen saver software removed in the correct way! Still, this should never have happened
84
137 slides Skinny Dipping on the Internet
85
85 of 137Internet Mapping, Columbia I’ve been skinny dipping on the Internet for years FreeBSD and Linux hosts Very few, very hardened network services Single-user hosts Dangerous services placed in sandboxes No known breakins No angst
86
137 slides “Best block is not be there” -Karate Kid
87
87 of 137Internet Mapping, Columbia Angst and the Morris Worm Did the worm get past my firewall? No. Why? – Partly smart design – Partly luck…removing fingerd Peace of mind comes from staying out of the battle altogether
88
137 slides “You’ve got to get out of the game” -Fred Grampp
89
137 slides Can my Dad (and millions like him) get out of the game?
90
137 slides Arms Races
91
91 of 137Internet Mapping, Columbia Virus arms race Early on, detectors used viral signatures Virus encryption and recompilation (!) has thwarted this Virus detectors now simulate the code, looking for signature actions Virus writers now detect emulation and behave differently Virus emulators are slowing down, even with Moore’s Law.
92
92 of 137Internet Mapping, Columbia Virus arms race I suspect that virus writers are going to win the detection battle, if they haven’t already – Emulation may become too slow – Even though we have the home-field advantage – Will we know if an undetectable virus is released? Best defense is to get out of the game. – Don’t run portable programs, or – Improve our sandbox technology People who really care about this worry about Ken Thompson’s attack – Read and understand “On Trusting Trust”
93
93 of 137Internet Mapping, Columbia Getting out of the virus game Don’t execute roving programs of unknown provenance Trusted Computing can fix the problem, in theory
94
94 of 137Internet Mapping, Columbia Password sniffing and cracking arms race Ethernet has always been sniffable WiFi is the new Ethernet
95
95 of 137Internet Mapping, Columbia Password sniffing and cracking arms race Password cracking works 3% to 60% of the time using offline dictionary attacks – More, if the hashing is misdesigned (c.f. Microsoft) This will never get better, so… We have to get out of the game
96
96 of 137Internet Mapping, Columbia Password sniffing and cracking arms race This battle is mostly won, thanks to SSL, IP/SEC, and VPNs. There are many successful businesses using these techniques nicely.
97
97 of 137Internet Mapping, Columbia Password sniffing is not a problem for Dad SSL fixes most of it AIM is interceptible – Fixable…will it be?
98
98 of 137Internet Mapping, Columbia Authentication/Identification Arms races Password/PIN selection vs. cracking Human-chosen passwords and PINs can be ok if guessing is limited, and obvious choices are suppressed Password cracking is getting better, thanks to Moore’s Law and perhaps even botnets
99
99 of 137Internet Mapping, Columbia We don’t know how to leave the user in charge of security decisions, safely.
100
100 of 137Internet Mapping, Columbia User education vs. user deception We will continue losing this one Even experts sometimes don’t understand the ramifications of choices they are offered
101
101 of 137Internet Mapping, Columbia Authentication arms race: predictions USA needs two factor authentication for social security number. (Something better than MMN or birth date.) I don’t see this improving much, but a global USB dongle would do it Don’t wait for world-wide PKI.
102
102 of 137Internet Mapping, Columbia Arms race (sort of) hardware destruction IBM monochrome monitor Some more recent monitors – Current ones? Hard drives? Beat the heads up? EEPROM write limits – Viral attack on.cn and.kr PC motherboards – Other equipment Anything that requires a hardware on-site service call
103
103 of 137Internet Mapping, Columbia Arms race (sort of) hardware destruction Rendering the firmware useless – This can be fixed (mostly) with a secure trusted computing base.
104
104 of 137Internet Mapping, Columbia Software upgrade race: literally a race Patches are analyzed to determine the weakness Patch-to-exploit time is now down below 10 hours – NB: spammers have incentive to do this work Now the good guys are trying to obfuscate code! Future difficult to say: dark side obscures everything.
105
105 of 137Internet Mapping, Columbia Arms Races: deception Jails – Cliff Stoll and SDInet Honeypots – Honeynet – honeyd The deception toolkit---Fred Cohen
106
137 slides Microsoft client security It has been getting worse: can they skinny-dip safely?
107
107 of 137Internet Mapping, Columbia Windows ME Active Connections - Win ME Proto Local Address Foreign Address State TCP 127.0.0.1:1032 0.0.0.0:0 LISTENING TCP 223.223.223.10:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:1025 *:* UDP 0.0.0.0:1026 *:* UDP 0.0.0.0:31337 *:* UDP 0.0.0.0:162 *:* UDP 223.223.223.10:137 *:* UDP 223.223.223.10:138 *:*
108
108 of 137Internet Mapping, Columbia Windows 2000 Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING TCP 0.0.0.0:1036 0.0.0.0:0 LISTENING TCP 0.0.0.0:1078 0.0.0.0:0 LISTENING TCP 0.0.0.0:1080 0.0.0.0:0 LISTENING TCP 0.0.0.0:1086 0.0.0.0:0 LISTENING TCP 0.0.0.0:6515 0.0.0.0:0 LISTENING TCP 127.0.0.1:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:445 *:* UDP 0.0.0.0:1038 *:* UDP 0.0.0.0:6514 *:* UDP 0.0.0.0:6515 *:* UDP 127.0.0.1:1108 *:* UDP 223.223.223.96:500 *:* UDP 223.223.223.96:4500 *:*
109
109 of 137Internet Mapping, Columbia Windows XP, this laptop Proto Local Address Foreign Address State TCP ches-pc:epmap ches-pc:0 LISTENING TCP ches-pc:microsoft-ds ches-pc:0 LISTENING TCP ches-pc:1025 ches-pc:0 LISTENING TCP ches-pc:1036 ches-pc:0 LISTENING TCP ches-pc:3115 ches-pc:0 LISTENING TCP ches-pc:3118 ches-pc:0 LISTENING TCP ches-pc:3470 ches-pc:0 LISTENING TCP ches-pc:3477 ches-pc:0 LISTENING TCP ches-pc:5000 ches-pc:0 LISTENING TCP ches-pc:6515 ches-pc:0 LISTENING TCP ches-pc:netbios-ssn ches-pc:0 LISTENING TCP ches-pc:3001 ches-pc:0 LISTENING TCP ches-pc:3002 ches-pc:0 LISTENING TCP ches-pc:3003 ches-pc:0 LISTENING TCP ches-pc:5180 ches-pc:0 LISTENING UDP ches-pc:microsoft-ds *:* UDP ches-pc:isakmp *:* UDP ches-pc:1027 *:* UDP ches-pc:3008 *:* UDP ches-pc:3473 *:* UDP ches-pc:6514 *:* UDP ches-pc:6515 *:* UDP ches-pc:netbios-ns *:* UDP ches-pc:netbios-dgm *:* UDP ches-pc:1900 *:* UDP ches-pc:ntp *:* UDP ches-pc:1900 *:* UDP ches-pc:3471 *:*
110
110 of 137Internet Mapping, Columbia FreeBSD partition, this laptop (getting out of the game) Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address tcp4 0 0 *.22 tcp6 0 0 *.22
111
137 slides It is easy to dump on Microsoft, but many others have made the same mistakes before
112
112 of 137Internet Mapping, Columbia ftp stream tcp nowait root /v/gate/ftpd telnet stream tcp nowait root /usr/etc/telnetd shell stream tcp nowait root /usr/etc/rshd login stream tcp nowait root /usr/etc/rlogind exec stream tcp nowait root /usr/etc/rexecd finger stream tcp nowait guest /usr/etc/fingerd bootp dgram udp wait root /usr/etc/bootp tftp dgram udp wait guest /usr/etc/tftpd ntalk dgram udp wait root /usr/etc/talkd tcpmux stream tcp nowait root internal echo stream tcp nowait root internal discard stream tcp nowait root internal chargen stream tcp nowait root internal daytime stream tcp nowait root internal time stream tcp nowait root internal echo dgram udp wait root internal discard dgram udp wait root internal chargen dgram udp wait root internal daytime dgram udp wait root internal time dgram udp wait root internal sgi-dgl stream tcp nowait root/rcv dgld uucp stream tcp nowait root /usr/lib/uucp/uucpd Default services SGI workstation
113
113 of 137Internet Mapping, Columbia More default services mountd/1 stream rpc/tcp wait/lc root rpc.mountd mountd/1 dgram rpc/udp wait/lc root rpc.mountd sgi_mountd/1 stream rpc/tcp wait/lc root rpc.mountd sgi_mountd/1 dgram rpc/udp wait/lc root rpc.mountd rstatd/1-3 dgram rpc/udp wait root rpc.rstatd walld/1 dgram rpc/udp wait root rpc.rwalld rusersd/1 dgram rpc/udp wait root rpc.rusersd rquotad/1 dgram rpc/udp wait root rpc.rquotad sprayd/1 dgram rpc/udp wait root rpc.sprayd bootparam/1 dgram rpc/udp wait root rpc.bootparamd sgi_videod/1 stream rpc/tcp wait root ?videod sgi_fam/1 stream rpc/tcp wait root ?fam sgi_snoopd/1 stream rpc/tcp wait root ?rpc.snoopd sgi_pcsd/1 dgram rpc/udp wait root ?cvpcsd sgi_pod/1 stream rpc/tcp wait root ?podd tcpmux/sgi_scanner stream tcp nowait root ?scan/net/scannerd tcpmux/sgi_printer stream tcp nowait root ?print/printerd 9fs stream tcp nowait root /v/bin/u9fs u9fs webproxy stream tcp nowait root /usr/local/etc/webserv
114
137 slides Firewalls and intranets try to get us out of the network services vulnerability game
115
115 of 137Internet Mapping, Columbia
116
137 slides What my dad (and most of you) really needs
117
137 slides Most of my Dad’s problems are caused by weaknesses in features he never uses or needs.
118
137 slides A proposal: Windows OK
119
119 of 137Internet Mapping, Columbia Windows OK Thin client implemented with Windows It would be fine for maybe half the Windows users – Students, consumers, many corporate and government users It would be reasonable to skinny dip with this client – Without firewall or virus checking software
120
120 of 137Internet Mapping, Columbia Windows OK No network listeners – None of those services are needed, except admin access for centrally-administered hosts Default security settings All security controls in one or two places Security settings can be locked
121
121 of 137Internet Mapping, Columbia Windows OK (cont) There should be nothing you can click on, in email or a web page, that can hurt your computer – No portable programs are executed ever, except… ActiveX from approved parties – MSFT and one or two others. List is lockable
122
122 of 137Internet Mapping, Columbia Windows OK Reduce privileges in servers and all programs Sandbox programs – Belt and suspenders
123
123 of 137Internet Mapping, Columbia Office OK No macros in Word or PowerPoint. No executable code in PowerPoint files The only macros allowed in Excel perform arithmetic. They cannot create files, etc.
124
124 of 137Internet Mapping, Columbia Vulnerabilities in OK Buffer overflows in processing of data (not from the network) Stop adding new features and focus on bug fixes Programmers can clean up bugs, if they don’t have a moving target – It converges, to some extent
125
137 slides XP SP2 Bill Gets It
126
126 of 137Internet Mapping, Columbia Microsoft’s Augean Stables: a task for Hercules 3000 oxen, 30 years, that’s roughly one oxen-day per line of code in Windows It’s been getting worse since Windows 95
127
127 of 137Internet Mapping, Columbia XP SP2: Bill gets it “a feature you don’t use should not be a security problem for you.” “Security by design” – Too late for that, its all retrofitting now “Security by default” – No network services on by default Security control panel – Many things missing from it – Speaker could not find ActiveX security settings There are a lot of details that remain to be seen.
128
128 of 137Internet Mapping, Columbia Microsoft really means it about improving their security Their security commitment appears to be real It is a huge job Opposing forces are unclear to me It’s been a long time coming, and frustrating
129
129 of 137Internet Mapping, Columbia Microsoft secure client arms race We are likely to win, but it is going to be a while
130
130 of 137Internet Mapping, Columbia SP2 isn’t going to be easy to deploy Many people rely on unsafe configurations, even if they don’t realize it Future SPs won’t be easy either, especially if they follow my advice
131
131 of 137Internet Mapping, Columbia Windows XP SP2 Candidate 2 release is available Read the EULA…it is interesting and a bit different
132
132 of 137Internet Mapping, Columbia
133
133 of 137Internet Mapping, Columbia
134
134 of 137Internet Mapping, Columbia SP2 is just a start: more work is needed Security panel and ActiveX permissions – Also, list of trusted signers needed Still too many network services – They may not be reachable from outside the box Clicking may still be dangerous
135
135 of 137Internet Mapping, Columbia Conclusions: we ought to win these battles We control the playing field DOS is the worse they can do, in theory We can replicate our successes We can converge on a secure-enough environment
136
136 of 137Internet Mapping, Columbia Conclusions: problems The business models to achieve these successes seem surprisingly elusive to me Security devices, and stand-alone devices, are close to meeting our needs – Except full-functioned routers General purpose computers are the big problem – Apparently features are more important than security, to the customers – Is this really true?
137
137 slides My Dad’s Computer and the Future of Internet Security Bill Cheswick ches@lumeta.com http://www.lumeta.com
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.