1 / 138

Mapping the Internet and Intranets

Mapping the Internet and Intranets. Hal Burch, Bill Cheswick ches@lumeta.com http://www.cheswick.com. Intranets are out of control Always have been Highlands “day after” scenario Panix DOS attacks a way to trace anonymous packets back!. Internet tomography

ifama
Download Presentation

Mapping the Internet and Intranets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Mapping the Internet and Intranets Hal Burch, Bill Cheswick ches@lumeta.com http://www.cheswick.com

  2. Intranets are out of control Always have been Highlands “day after” scenario Panix DOS attacks a way to trace anonymous packets back! Internet tomography Curiosity about size and growth of the Internet Same tools are useful for understanding any large network, including intranets Motivations

  3. Related Work • See Martin Dodge’s cyber geography page • MIDS - John Quarterman • CAIDA - kc claffy • Mercator • “Measuring ISP topologies with rocketfuel” - 2002 • Spring, Mahajan, Wetherall • Enter “internet map” in your search engine

  4. Long term reliable collection of Internet and Lucent connectivity information without annoying too many people Attempt some simple visualizations of the data movie of Internet growth! Develop tools to probe intranets Probe the distant corners of the Internet The Goals

  5. Methods - data collection Single reliable host connected at the company perimeter Daily full scan of Lucent Daily partial scan of Internet, monthly full scan One line of text per network scanned Unix tools

  6. Methods - network scanning Obtain master network list network lists from Merit, RIPE, APNIC, etc. BGP data or routing data from customers hand-assembled list of Yugoslavia/Bosnia Run a traceroute-style scan towards each network Stop on error, completion, no data Keep the natives happy

  7. TTL probes Used by traceroute and other tools Probes toward each target network with increasing TTL Probes are ICMP, UDP, TCP to port 80, 25, 139, etc. Some people block UDP, others ICMP

  8. Server Client Application level Application level Router Router Router Router Router TCP/UDP TCP/UDP IP IP IP IP IP IP IP Hardware Hardware Hardware Hardware Hardware Hardware Hardware TTL probes Hop 3 Hop 1 Hop 2 Hop 4 Hop 3

  9. Server Client Application level Application level Router Router Router Router Router TCP/UDP TCP/UDP IP IP IP IP IP IP IP Hardware Hardware Hardware Hardware Hardware Hardware Hardware Send a packet with a TTL of 1… Hop 3 Hop 1 Hop 2 Hop 4 Hop 3

  10. Server Client Application level Application level Router Router Router Router Router TCP/UDP TCP/UDP IP IP IP IP IP IP IP Hardware Hardware Hardware Hardware Hardware Hardware Hardware …and we get the death notice from the first hop Hop 3 Hop 1 Hop 2 Hop 4 Hop 3

  11. Server Client Application level Application level Router Router Router Router Router TCP/UDP TCP/UDP IP IP IP IP IP IP IP Hardware Hardware Hardware Hardware Hardware Hardware Hardware Send a packet with a TTL of 2… Hop 3 Hop 1 Hop 2 Hop 4 Hop 3

  12. Server Client Application level Application level Router Router Router Router Router TCP/UDP TCP/UDP IP IP IP IP IP IP IP Hardware Hardware Hardware Hardware Hardware Hardware Hardware … and so on … Hop 3 Hop 1 Hop 2 Hop 4 Hop 3

  13. Advantages • We don’t need access (I.e. SNMP) to the routers • It’s very fast • Standard Internet tool: it doesn’t break things • Insignificant load on the routers • Not likely to show up on IDS reports • We can probe with many packet types

  14. Limitations • Outgoing paths only • Level 3 (IP) only • ATM networks appear as a single node • This distorts graphical analysis • Not all routers respond • Many routers limited to one response per second

  15. Limitations • View is from scanning host only • Takes a while to collect alternating paths • Gentle mapping means missed endpoints • Imputes non-existent links

  16. The data can go either way B C D A E F

  17. The data can go either way B C D A E F

  18. But our test packets only go part of the way B C D A E F

  19. We record the hop… B C D A E F

  20. The next probe happens to go the other way B C D A E F

  21. …and we record the other hop… B C D A E F

  22. We’ve imputed a link that doesn’t exist B C D A E F

  23. Data collection complaints Australian parliament was the first to complain List of whiners (25 nets) Military noticed immediately Steve Northcutt arrangements/warnings to DISA and CERT These complaints are mostly a thing of the past Internet background radiation predominates

  24. Visualization goals make a map show interesting features debug our database and collection methods hard to fold up geography doesn’t matter use colors to show further meaning

  25. Infovis state-of-the-art in 1998 • 800 nodes was a huge graph • We had 100,000 nodes • Use spring-force simulation with lots of empirical tweaks • Each layout needed 20 hours of Pentium time

  26. The Internet has a diameter of about 10,000 pookies

  27. Visualization of the layout algorithm Laying out the Internet graph

  28. Visualization of the layout algorithm Laying out an intranet

  29. A simplified map • Minimum distance spanning tree uses 80% of the data • Much easier visualization • Most of the links still valid • Redundancy is in the middle

  30. Colored by AS number

  31. Map Coloring distance from test host IP address shows communities Geographical (by TLD) ISPs future timing, firewalls, LSRR blocks

  32. Colored by IP address!

  33. Colored by geography

  34. Colored by ISP

  35. Colored by distance from scanning host

  36. US military reached by ICMP ping

  37. US military networks reached by UDP

  38. History of the Project • Started in August 1998 at Bell Labs • April-June 1999: Yugoslavia mapping • July 2000: first customer intranet scanned • Sept. 2000: spun off Lumeta from Lucent/Bell Labs • June 2002: “B” round funding completed • 2003: sales >$4MM

  39. Backhoes/truck bombs/mayhem • The former happens surprisingly often • Almost daily on the network of one major ISP • 9/11 took out a fair amount of connectivity

  40. CIDR and IP Counts

More Related