41 slides
Fun with FCC part 15
Home speaker system on 107.3
(and that’s not easy in the NYC/PHL area)
41 slides
Mapping the Internet and
Intranets
Steve Branigan, Hal Burch, Bill Cheswick
41 slides
How To Take the Internet Down for a
weekBill Cheswick
<startup-name>
Mapping the Internet and intranets slide 14 of 41
Lumeta
• Spun off from Bell Labs in Sept. 2000
• B round funding last June
• Building a hang glider…
Mapping the Internet and intranets slide 26 of 41
Some intranet statisticsfrom Lumeta clients
Intranet sizes (devices) 7,900 365,000Corporate address space 81,000 745,000,000Address space usage efficiency% devices in unknown address space 0.01% 20.86%
% routers responding to "public" 0.14% 75.50%% routers responding to other 0.00% 52.00%
Outbound host leaks on network 0 176,000% devices with outbound ICMP leaks 0% 79%% devices with outbound UDP leaks 0% 82%
Inbound UDP host leaks 0 5,800% devices with inbound ICMP leaks 0% 11%% devices with inbound UDP leaks 0% 12%
% hosts running Windows 36% 84%
Mapping the Internet and intranets slide 27 of 41
But how do we debug our software?
• We used to use Lucent’s network back when I was working at Bell Labs
• We have a very light touch on our clients’ networks, and they like it that way
• The Bank of Zork (NASDAQ: BOZO) doesn’t want us practicing on their network
Mapping the Internet and intranets slide 28 of 41
Simulation vs emulation
• Simulators run packet flows over imaginary networks
• Often run to test routing and queuing algorithms
• Emulator wants to appear to be the network
Mapping the Internet and intranets slide 29 of 41
What does a chief scientist do?
• Primarily a prima donna
• Certainly not in development– Travel too much to keep deadline
promises– Never was good at all-nighters
• Find a project that would be nice, but nobody is waiting for
• QA was a fine place to look
Mapping the Internet and intranets slide 30 of 41
Honeyd
• Written by Niels Provos at citi.umich.edu
• Name unrelated to, and vexes, Peter Honeyman, also of citi.umich.edu
• Designed to emulate one or more computers in a single host to lure and confuse hackers
• Responds using nmap and other host fingerprinting databases
• User scripts available to emulate specific web and other network server software
Mapping the Internet and intranets slide 31 of 41
Honeyd
• Designed to emulate one or more computers in a single host to lure and confuse hackers
• User scripts available to emulate specific web and other network server software– Microsoft IIS web server– A number of text-based services are
emulated in available scripts
Mapping the Internet and intranets slide 32 of 41
Honeyd
• Host fingerprint identification based on probe databases– Nmap– xprobe
Mapping the Internet and intranets slide 33 of 41
My Honeyd project
• Make honeyd configuration scripts that build our clients’ networks from the data we obtain
• Add UDP servers for– DNS (name service)– SNMP (Simple Network Management
Protocol)
Mapping the Internet and intranets slide 34 of 41
Uses
• Perfect test network for QA– Unchanging….diff the pages– Build pathological network configurations
• Training
• Sales demos
• Could this be a product?
Mapping the Internet and intranets slide 35 of 41
My honeyd scripts
• Generates entire network description for honeyd based on our client data
• You want a 50,000 node network based on real data? No problem. 300,000 nodes? OK
• DNS emulates name server lookups
• Routers respond with SNMP data
Mapping the Internet and intranets slide 36 of 41
How good is the emulation?
• Handles pings and traceroutes with no problem
• Handles “stealth hosts”, routers that don’t issue TTL exceeded messages
• Even does a fair job of simulating latencies
• Emulator for SNMP and DNS queries
• This is good enough for us: we don’t collect other data at present
• Real networks change as you test them.
Mapping the Internet and intranets slide 39 of 41
Certainly not perfect
• There isn’t nearly as much state in our network emulation as there is in a real network
• CPU time becomes an issue, and the emulator is not efficient at the moment– Moore’s law is a big help here
• Host fingerprinting could make the network much more convincing– We are working on it– Could just fake it
Mapping the Internet and intranets slide 40 of 41
Future work
• Many incremental improvements to network simulations
• Honeyd performance improvements
• Might release a large cleansed network configuration for research purposes