1.38k likes | 1.5k Views
Mapping the Internet and Intranets. Hal Burch, Bill Cheswick ches@lumeta.com http://www.cheswick.com. Intranets are out of control Always have been Highlands “day after” scenario Panix DOS attacks a way to trace anonymous packets back!. Internet tomography
E N D
Mapping the Internet and Intranets Hal Burch, Bill Cheswick ches@lumeta.com http://www.cheswick.com
Intranets are out of control Always have been Highlands “day after” scenario Panix DOS attacks a way to trace anonymous packets back! Internet tomography Curiosity about size and growth of the Internet Same tools are useful for understanding any large network, including intranets Motivations
Related Work • See Martin Dodge’s cyber geography page • MIDS - John Quarterman • CAIDA - kc claffy • Mercator • “Measuring ISP topologies with rocketfuel” - 2002 • Spring, Mahajan, Wetherall • Enter “internet map” in your search engine
Long term reliable collection of Internet and Lucent connectivity information without annoying too many people Attempt some simple visualizations of the data movie of Internet growth! Develop tools to probe intranets Probe the distant corners of the Internet The Goals
Methods - data collection Single reliable host connected at the company perimeter Daily full scan of Lucent Daily partial scan of Internet, monthly full scan One line of text per network scanned Unix tools
Methods - network scanning Obtain master network list network lists from Merit, RIPE, APNIC, etc. BGP data or routing data from customers hand-assembled list of Yugoslavia/Bosnia Run a traceroute-style scan towards each network Stop on error, completion, no data Keep the natives happy
TTL probes Used by traceroute and other tools Probes toward each target network with increasing TTL Probes are ICMP, UDP, TCP to port 80, 25, 139, etc. Some people block UDP, others ICMP
Server Client Application level Application level Router Router Router Router Router TCP/UDP TCP/UDP IP IP IP IP IP IP IP Hardware Hardware Hardware Hardware Hardware Hardware Hardware TTL probes Hop 3 Hop 1 Hop 2 Hop 4 Hop 3
Server Client Application level Application level Router Router Router Router Router TCP/UDP TCP/UDP IP IP IP IP IP IP IP Hardware Hardware Hardware Hardware Hardware Hardware Hardware Send a packet with a TTL of 1… Hop 3 Hop 1 Hop 2 Hop 4 Hop 3
Server Client Application level Application level Router Router Router Router Router TCP/UDP TCP/UDP IP IP IP IP IP IP IP Hardware Hardware Hardware Hardware Hardware Hardware Hardware …and we get the death notice from the first hop Hop 3 Hop 1 Hop 2 Hop 4 Hop 3
Server Client Application level Application level Router Router Router Router Router TCP/UDP TCP/UDP IP IP IP IP IP IP IP Hardware Hardware Hardware Hardware Hardware Hardware Hardware Send a packet with a TTL of 2… Hop 3 Hop 1 Hop 2 Hop 4 Hop 3
Server Client Application level Application level Router Router Router Router Router TCP/UDP TCP/UDP IP IP IP IP IP IP IP Hardware Hardware Hardware Hardware Hardware Hardware Hardware … and so on … Hop 3 Hop 1 Hop 2 Hop 4 Hop 3
Advantages • We don’t need access (I.e. SNMP) to the routers • It’s very fast • Standard Internet tool: it doesn’t break things • Insignificant load on the routers • Not likely to show up on IDS reports • We can probe with many packet types
Limitations • Outgoing paths only • Level 3 (IP) only • ATM networks appear as a single node • This distorts graphical analysis • Not all routers respond • Many routers limited to one response per second
Limitations • View is from scanning host only • Takes a while to collect alternating paths • Gentle mapping means missed endpoints • Imputes non-existent links
The data can go either way B C D A E F
The data can go either way B C D A E F
But our test packets only go part of the way B C D A E F
We record the hop… B C D A E F
The next probe happens to go the other way B C D A E F
…and we record the other hop… B C D A E F
We’ve imputed a link that doesn’t exist B C D A E F
Data collection complaints Australian parliament was the first to complain List of whiners (25 nets) Military noticed immediately Steve Northcutt arrangements/warnings to DISA and CERT These complaints are mostly a thing of the past Internet background radiation predominates
Visualization goals make a map show interesting features debug our database and collection methods hard to fold up geography doesn’t matter use colors to show further meaning
Infovis state-of-the-art in 1998 • 800 nodes was a huge graph • We had 100,000 nodes • Use spring-force simulation with lots of empirical tweaks • Each layout needed 20 hours of Pentium time
Visualization of the layout algorithm Laying out the Internet graph
Visualization of the layout algorithm Laying out an intranet
A simplified map • Minimum distance spanning tree uses 80% of the data • Much easier visualization • Most of the links still valid • Redundancy is in the middle
Colored by AS number
Map Coloring distance from test host IP address shows communities Geographical (by TLD) ISPs future timing, firewalls, LSRR blocks
Colored by distance from scanning host
US military reached by ICMP ping
US military networks reached by UDP
History of the Project • Started in August 1998 at Bell Labs • April-June 1999: Yugoslavia mapping • July 2000: first customer intranet scanned • Sept. 2000: spun off Lumeta from Lucent/Bell Labs • June 2002: “B” round funding completed • 2003: sales >$4MM
Backhoes/truck bombs/mayhem • The former happens surprisingly often • Almost daily on the network of one major ISP • 9/11 took out a fair amount of connectivity