410 likes | 528 Views
Fun with FCC part 15. Home speaker system on 107.3 (and that’s not easy in the NYC/PHL area). Emulating large intranets with honeyd. Bill Cheswick ches@lumeta.com. This talk was going to be boring…. Another Reason Why I Like the Window Seat. Bill Cheswick.
E N D
Fun with FCC part 15 Home speaker system on 107.3 (and that’s not easy in the NYC/PHL area)
Emulating large intranets with honeyd Bill Cheswick ches@lumeta.com
Another Reason Why I Like the Window Seat Bill Cheswick
Mapping the Internet and Intranets Steve Branigan, Hal Burch, Bill Cheswick ches@lumeta.com
How To Take the Internet Down for a week Bill Cheswick <startup-name> ches@bell-labs.com ches@cheswick.com
Our digital house By Kestrel, Terence, Lorette, and Bill Cheswick
Emulating large intranets with honeyd Bill Cheswick ches@lumeta.com
Free at last! • Nagata • Varley • Etc.
Anything large enough to be called an “intranet” isout of control
Lumeta • Spun off from Bell Labs in Sept. 2000 • B round funding last June • Building a hang glider…
But how do we debug our software? • We used to use Lucent’s network back when I was working at Bell Labs • We have a very light touch on our clients’ networks, and they like it that way • The Bank of Zork (NASDAQ: BOZO) doesn’t want us practicing on their network
Simulation vs emulation • Simulators run packet flows over imaginary networks • Often run to test routing and queuing algorithms • Emulator wants to appear to be the network
What does a chief scientist do? • Primarily a prima donna • Certainly not in development • Travel too much to keep deadline promises • Never was good at all-nighters • Find a project that would be nice, but nobody is waiting for • QA was a fine place to look
Honeyd • Written by Niels Provos at citi.umich.edu • Name unrelated to, and vexes, Peter Honeyman, also of citi.umich.edu • Designed to emulate one or more computers in a single host to lure and confuse hackers • Responds using nmap and other host fingerprinting databases • User scripts available to emulate specific web and other network server software
Honeyd • Designed to emulate one or more computers in a single host to lure and confuse hackers • User scripts available to emulate specific web and other network server software • Microsoft IIS web server • A number of text-based services are emulated in available scripts
Honeyd • Host fingerprint identification based on probe databases • Nmap • xprobe
My Honeyd project • Make honeyd configuration scripts that build our clients’ networks from the data we obtain • Add UDP servers for • DNS (name service) • SNMP (Simple Network Management Protocol)
Uses • Perfect test network for QA • Unchanging….diff the pages • Build pathological network configurations • Training • Sales demos • Could this be a product?
My honeyd scripts • Generates entire network description for honeyd based on our client data • You want a 50,000 node network based on real data? No problem. 300,000 nodes? OK • DNS emulates name server lookups • Routers respond with SNMP data
How good is the emulation? • Handles pings and traceroutes with no problem • Handles “stealth hosts”, routers that don’t issue TTL exceeded messages • Even does a fair job of simulating latencies • Emulator for SNMP and DNS queries • This is good enough for us: we don’t collect other data at present • Real networks change as you test them.
Certainly not perfect • There isn’t nearly as much state in our network emulation as there is in a real network • CPU time becomes an issue, and the emulator is not efficient at the moment • Moore’s law is a big help here • Host fingerprinting could make the network much more convincing • We are working on it • Could just fake it
Future work • Many incremental improvements to network simulations • Honeyd performance improvements • Might release a large cleansed network configuration for research purposes
Emulating large intranets with honeyd Bill Cheswick ches@lumeta.com