1 of 137Internet Mapping, Columbia. 137 slides Clear and Present Dangers Bill Cheswick Lumeta Corp....

1 of 137Internet Mapping, Columbia

137 slides

Clear and Present Dangers

Bill Cheswick

Lumeta Corp.

[email protected]

137 slides

Clear and Present Dangers

Perimeter Leaks

Poor host security

137 slides

Mapping the Internet and

IntranetsBill Cheswick

[email protected]

http://www.cheswick.com


Motivations

• Intranets are out of control– Always have been

• Highlands “day after” scenario

• Panix DOS attacks– a way to trace

anonymous packets back!

• Internet tomography

• Curiosity about size and growth of the Internet

• Same tools are useful for understanding any large network, including intranets


Related Work

• See Martin Dodge’s cyber geography page

• MIDS - John Quarterman

• CAIDA - kc claffy

• Mercator

• “Measuring ISP topologies with rocketfuel” - 2002– Spring, Mahajan, Wetherall

• Enter “internet map” in your search engine


The Goals

• Long term reliable collection of Internet and Lucent connectivity information– without annoying

too many people

• Attempt some simple visualizations of the data

– movie of Internet growth!

• Develop tools to probe intranets

• Probe the distant corners of the Internet


Methods - data collection

• Single reliable host connected at the company perimeter

• Daily full scan of Lucent

• Daily partial scan of Internet, monthly full scan

• One line of text per network scanned– Unix tools


Methods - network scanning

• Obtain master network list– network lists from Merit, RIPE, APNIC, etc.– BGP data or routing data from customers– hand-assembled list of Yugoslavia/Bosnia

• Run a traceroute-style scan towards each network

• Stop on error, completion, no data– Keep the natives happy


TTL probes

• Used by traceroute and other tools

• Probes toward each target network with increasing TTL

• Probes are ICMP, UDP, TCP to port 80, 25, 139, etc.

• Some people block UDP, others ICMP


TTL probes

Application level

TCP/UDP

IP

Hardware

Client

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

Router

Application level

TCP/UDP

IP

Hardware

Server

Hop 1 Hop 2 Hop 3

Hop 3Hop 4


Send a packet with a TTL of 1…

Application level

TCP/UDP

IP

Hardware

Client

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

Router

Application level

TCP/UDP

IP

Hardware

Server

Hop 1 Hop 2 Hop 3

Hop 3Hop 4


…and we get the death notice from the first hop

Application level

TCP/UDP

IP

Hardware

Client

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

Router

Application level

TCP/UDP

IP

Hardware

Server

Hop 1 Hop 2 Hop 3

Hop 3Hop 4


Send a packet with a TTL of 2…

Application level

TCP/UDP

IP

Hardware

Client

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

Router

Application level

TCP/UDP

IP

Hardware

Server

Hop 1 Hop 2 Hop 3

Hop 3Hop 4


… and so on …

Application level

TCP/UDP

IP

Hardware

Client

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

Router

IP

Hardware

Router

Application level

TCP/UDP

IP

Hardware

Server

Hop 1 Hop 2 Hop 3

Hop 3Hop 4


Advantages

• We don’t need access (I.e. SNMP) to the routers

• It’s very fast

• Standard Internet tool: it doesn’t break things

• Insignificant load on the routers

• Not likely to show up on IDS reports

• We can probe with many packet types


Limitations

• Outgoing paths only

• Level 3 (IP) only– ATM networks appear as a single node– This distorts graphical analysis

• Not all routers respond

• Many routers limited to one response per second


Limitations

• View is from scanning host only

• Takes a while to collect alternating paths

• Gentle mapping means missed endpoints

• Imputes non-existent links


The data can go either way

A

E F

D

B C


But our test packets only go part of the way

A

E F

D

B C


We record the hop…

A

E F

D

B C


The next probe happens to go the other way

A

E F

D

B C


…and we record the other hop…

A

E F

D

B C


We’ve imputed a link that doesn’t exist

A

E F

D

B C


Data collection complaints

• Australian parliament was the first to complain

• List of whiners (25 nets)

• Military noticed immediately– Steve Northcutt– arrangements/warnings to DISA and CERT

• These complaints are mostly a thing of the past– Internet background radiation

predominates


Visualization goals

• make a map– show interesting features– debug our database and collection

methods– hard to fold up

• geography doesn’t matter

• use colors to show further meaning


Infovis state-of-the-art in 1998

• 800 nodes was a huge graph

• We had 100,000 nodes

• Use spring-force simulation with lots of empirical tweaks

• Each layout needed 20 hours of Pentium time

137 slides

Visualization of the layout algorithm

Laying out the Internet graph

137 slides

Visualization of the layout algorithm

Laying out an intranet


A simplified map

• Minimum distance spanning tree uses 80% of the data

• Much easier visualization

• Most of the links still valid

• Redundancy is in the middle


Colored byAS number


Map Coloring

• distance from test host

• IP address– shows communities

• Geographical (by TLD)

• ISPs

• future– timing, firewalls, LSRR blocks


Colored by IP address!


Colored by geography


Colored by ISP


Colored by distancefrom scanning host


US militaryreached by ICMP ping


US military networksreached by UDP

137 slides

Yugoslavia

An unclassified peek at a new battlefield

137 slides

Un film par Steve “Hollywood” Branigan...

137 slides

fin


Routers in New York Citymissing generator fuel

1000

1100

1200

1300

1400

9/11 9/12 9/13 9/14 9/15 9/16 9/17 9/18 9/19 9/20 9/21 9/22

Date

# R

ou

ters

137 slides

Intranets


We partition our networks to get out of the game

• Companies, governments, departments, even families hide in enclaves to limit connectivity to approved services

• These are called intranets

• The decentralized, cloud-like nature of internets makes them hard to manage at a central point

• My company explores the extent of intranets and their interconnections with other networks.

137 slides

Intranets: the rest of the Internet


This wasSupposedTo be aVPN

137 slides

Anything large enough to be called

an “intranet” isout of control


Case studies: corp. networksSome intranet statistics

Min MaxIntranet sizes (devices) 7,900 365,000Corporate address space 81,000 745,000,000% devices in unknown address space 0.01% 20.86%

% routers responding to "public" 0.14% 75.50%% routers responding to other 0.00% 52.00%

Outbound host leaks on network 0 176,000% devices with outbound ICMP leaks 0% 79%% devices with outbound UDP leaks 0% 82%

Inbound UDP host leaks 0 5,800% devices with inbound ICMP leaks 0% 11%% devices with inbound UDP leaks 0% 12%% hosts running Windows 36% 84%


Leak Detection

Internet intranet

Mapping hostA

Test hostB

mittD

C

• A sends packet to B, with spoofed return address of D

• If B can, it will reply to D with a response, possibly through a different interface


Leak Detection

Internet intranet

Mapping hostA

Test hostB

mittD

C

• Packet must be crafted so the response won’t be permitted through the firewall

• A variety of packet types and responses are used

• Either inside or outside address may be discovered

• Packet is labeled so we know where it came from


Existence proofs of intranet leaks: the slammer worm

• It’s a pop-quiz on perimeter integrity

• The best run networks (e.g. spooks’ nets) do not get these plagues– Internal hosts may be susceptible


Some Lumeta lessons

• Reporting is the really hard part– Converting data to information

• “Tell me how we compare to other clients”

• Offering a service was good practice, for a while

• The clients want a device

• We have >70 Fortune-200 companies and government agencies as clients

• Need-to-have vs. want-to-have


Honeyd – network emulation

• Anti-hacking tools by Niels Provos at citi.umich.edu

• Can respond as one or more hosts

• I am configuring it to look like an entire client’s network

• Useful for testing and debugging

• Product?


History of the Project

• Started in August 1998 at Bell Labs

• April-June 1999: Yugoslavia mapping

• July 2000: first customer intranet scanned

• Sept. 2000: spun off Lumeta from Lucent/Bell Labs

• June 2002: “B” round funding completed

• 2003: sales >$4MM

137 slides

Mapping the Internet and

IntranetsBill Cheswick

[email protected]

http://www.cheswick.com

137 slides

My Dad’s Computer and the Future of Internet Security

Bill Cheswick

[email protected]

http://www.lumeta.com

137 slides

My Dad’s computer

Skinny-dipping with Microsoft


Case study:My Dad’s computer

• Windows XP, plenty of horsepower, two screens

• Applications:– Email (Outlook)– “Bridge:” a fancy stock market monitoring

system– AIM


Case study:My Dad’s computer

• Cable access

• dynamic IP address

• no NAT

• no firewall

• outdated virus software

• no spyware checker


This computer was a software toxic waste dump

• It was burning a liter of oil every 500 km

• The popups seemed darned distracting to me


My Dad’s computer: what the repair geek found

• Everything

• “Viruses I’ve never heard off”

• Constant popups

• Frequent blasts of multiple web pages, all obscene

• Dad: why do I care? I am getting my work done


Dad’s computer: how did he get in this mess?

• He doesn’t know what the popup security messages mean

• Email-born viruses

• Unsecured network services

• Executable code in web pages from unworthy sites


He is getting his work done

• Didn’t want a system administrator to mess up his user interface settings

• Truly destructive attacks are rare– They aren’t lucrative or much fun– They are self-limiting


Recently

• An alien G-rated screen saver for an X-rated site appeared

• Changing the screen saver worked!

• The screen saver software removed in the correct way!

• Still, this should never have happened

137 slides

Skinny Dipping on the Internet


I’ve been skinny dipping on the Internet for years

• FreeBSD and Linux hosts

• Very few, very hardened network services

• Single-user hosts

• Dangerous services placed in sandboxes

• No known breakins

• No angst

137 slides

“Best block is not be there”

-Karate Kid


Angst and the Morris Worm

• Did the worm get past my firewall?

• No. Why?– Partly smart design– Partly luck…removing fingerd

• Peace of mind comes from staying out of the battle altogether

137 slides

“You’ve got to get out of the game”

-Fred Grampp

137 slides

Can my Dad (and millions like him)

get out of the game?

137 slides

Arms Races


Virus arms race

• Early on, detectors used viral signatures

• Virus encryption and recompilation (!) has thwarted this

• Virus detectors now simulate the code, looking for signature actions

• Virus writers now detect emulation and behave differently

• Virus emulators are slowing down, even with Moore’s Law.


Virus arms race

• I suspect that virus writers are going to win the detection battle, if they haven’t already– Emulation may become too slow– Even though we have the home-field advantage– Will we know if an undetectable virus is released?

• Best defense is to get out of the game.– Don’t run portable programs, or– Improve our sandbox technology

• People who really care about this worry about Ken Thompson’s attack– Read and understand “On Trusting Trust”


Getting out of the virus game

• Don’t execute roving programs of unknown provenance

• Trusted Computing can fix the problem, in theory


Password sniffing and cracking arms race

• Ethernet has always been sniffable

• WiFi is the new Ethernet



• Password cracking works 3% to 60% of the time using offline dictionary attacks– More, if the hashing is misdesigned (c.f.

Microsoft)

• This will never get better, so…

• We have to get out of the game



• This battle is mostly won, thanks to SSL, IP/SEC, and VPNs.

• There are many successful businesses using these techniques nicely.


Password sniffing is not a problem for Dad

• SSL fixes most of it

• AIM is interceptible– Fixable…will it be?


Authentication/Identification Arms races

• Password/PIN selection vs. cracking

• Human-chosen passwords and PINs can be ok if guessing is limited, and obvious choices are suppressed

• Password cracking is getting better, thanks to Moore’s Law and perhaps even botnets


We don’t know how to leave the user in charge of security decisions, safely.


User education vs. user deception

• We will continue losing this one

• Even experts sometimes don’t understand the ramifications of choices they are offered


Authentication arms race:predictions

• USA needs two factor authentication for social security number. (Something better than MMN or birth date.)

• I don’t see this improving much, but a global USB dongle would do it

• Don’t wait for world-wide PKI.


Arms race (sort of)hardware destruction

• IBM monochrome monitor

• Some more recent monitors– Current ones?

• Hard drives? Beat the heads up?

• EEPROM write limits– Viral attack on .cn and .kr PC

motherboards– Other equipment

• Anything that requires a hardware on-site service call


Arms race (sort of)hardware destruction

• Rendering the firmware useless– This can be fixed (mostly) with a secure

trusted computing base.


Software upgrade race: literally a race

• Patches are analyzed to determine the weakness

• Patch-to-exploit time is now down below 10 hours– NB: spammers have incentive to do this

work

• Now the good guys are trying to obfuscate code!

• Future difficult to say: dark side obscures everything.


Arms Races: deception

• Jails– Cliff Stoll and SDInet

• Honeypots– Honeynet– honeyd

• The deception toolkit---Fred Cohen

137 slides

Microsoft client security

It has been getting worse: can they skinny-dip safely?


Windows MEActive Connections - Win ME

Proto Local Address Foreign Address State TCP 127.0.0.1:1032 0.0.0.0:0 LISTENING TCP 223.223.223.10:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:1025 *:* UDP 0.0.0.0:1026 *:* UDP 0.0.0.0:31337 *:* UDP 0.0.0.0:162 *:* UDP 223.223.223.10:137 *:* UDP 223.223.223.10:138 *:*


Windows 2000

Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING TCP 0.0.0.0:1036 0.0.0.0:0 LISTENING TCP 0.0.0.0:1078 0.0.0.0:0 LISTENING TCP 0.0.0.0:1080 0.0.0.0:0 LISTENING TCP 0.0.0.0:1086 0.0.0.0:0 LISTENING TCP 0.0.0.0:6515 0.0.0.0:0 LISTENING TCP 127.0.0.1:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:445 *:* UDP 0.0.0.0:1038 *:* UDP 0.0.0.0:6514 *:* UDP 0.0.0.0:6515 *:* UDP 127.0.0.1:1108 *:* UDP 223.223.223.96:500 *:* UDP 223.223.223.96:4500 *:*


Windows XP, this laptop Proto Local Address Foreign Address State TCP ches-pc:epmap ches-pc:0 LISTENING TCP ches-pc:microsoft-ds ches-pc:0 LISTENING TCP ches-pc:1025 ches-pc:0 LISTENING TCP ches-pc:1036 ches-pc:0 LISTENING TCP ches-pc:3115 ches-pc:0 LISTENING TCP ches-pc:3118 ches-pc:0 LISTENING TCP ches-pc:3470 ches-pc:0 LISTENING TCP ches-pc:3477 ches-pc:0 LISTENING TCP ches-pc:5000 ches-pc:0 LISTENING TCP ches-pc:6515 ches-pc:0 LISTENING TCP ches-pc:netbios-ssn ches-pc:0 LISTENING TCP ches-pc:3001 ches-pc:0 LISTENING TCP ches-pc:3002 ches-pc:0 LISTENING TCP ches-pc:3003 ches-pc:0 LISTENING TCP ches-pc:5180 ches-pc:0 LISTENING UDP ches-pc:microsoft-ds *:* UDP ches-pc:isakmp *:* UDP ches-pc:1027 *:* UDP ches-pc:3008 *:* UDP ches-pc:3473 *:* UDP ches-pc:6514 *:* UDP ches-pc:6515 *:* UDP ches-pc:netbios-ns *:* UDP ches-pc:netbios-dgm *:* UDP ches-pc:1900 *:* UDP ches-pc:ntp *:* UDP ches-pc:1900 *:* UDP ches-pc:3471 *:*


FreeBSD partition, this laptop(getting out of the game)

Active Internet connections (including servers)Proto Recv-Q Send-Q Local Address tcp4 0 0 *.22 tcp6 0 0 *.22

137 slides

It is easy to dump on Microsoft, but many others have made the

same mistakes before


ftp stream tcp nowait root /v/gate/ftpdtelnet stream tcp nowait root /usr/etc/telnetdshell stream tcp nowait root /usr/etc/rshdlogin stream tcp nowait root /usr/etc/rlogind exec stream tcp nowait root /usr/etc/rexecd finger stream tcp nowait guest /usr/etc/fingerd bootp dgram udp wait root /usr/etc/bootp tftp dgram udp wait guest /usr/etc/tftpd ntalk dgram udp wait root /usr/etc/talkd tcpmux stream tcp nowait root internalecho stream tcp nowait root internaldiscard stream tcp nowait root internalchargen stream tcp nowait root internaldaytime stream tcp nowait root internaltime stream tcp nowait root internalecho dgram udp wait root internaldiscard dgram udp wait root internalchargen dgram udp wait root internaldaytime dgram udp wait root internaltime dgram udp wait root internalsgi-dgl stream tcp nowait root/rcv dglduucp stream tcp nowait root /usr/lib/uucp/uucpd

Default servicesSGI workstation


More default services

mountd/1 stream rpc/tcp wait/lc root rpc.mountdmountd/1 dgram rpc/udp wait/lc root rpc.mountdsgi_mountd/1 stream rpc/tcp wait/lc root rpc.mountdsgi_mountd/1 dgram rpc/udp wait/lc root rpc.mountdrstatd/1-3 dgram rpc/udp wait root rpc.rstatd walld/1 dgram rpc/udp wait root rpc.rwalld rusersd/1 dgram rpc/udp wait root rpc.rusersd rquotad/1 dgram rpc/udp wait root rpc.rquotad sprayd/1 dgram rpc/udp wait root rpc.sprayd bootparam/1 dgram rpc/udp wait root rpc.bootparamdsgi_videod/1 stream rpc/tcp wait root ?videod sgi_fam/1 stream rpc/tcp wait root ?fam sgi_snoopd/1 stream rpc/tcp wait root ?rpc.snoopd sgi_pcsd/1 dgram rpc/udp wait root ?cvpcsd sgi_pod/1 stream rpc/tcp wait root ?podd tcpmux/sgi_scanner stream tcp nowait root ?scan/net/scannerdtcpmux/sgi_printer stream tcp nowait root ?print/printerd 9fs stream tcp nowait root /v/bin/u9fs u9fswebproxy stream tcp nowait root /usr/local/etc/webserv

137 slides

Firewalls and intranets try to get

us out of the network services

vulnerability game

137 slides

What my dad(and most of you)

really needs

137 slides

Most of my Dad’s problems are caused by weaknesses in

features he never uses or needs.

137 slides

A proposal:Windows OK


Windows OK

• Thin client implemented with Windows

• It would be fine for maybe half the Windows users– Students, consumers, many corporate

and government users

• It would be reasonable to skinny dip with this client– Without firewall or virus checking

software


Windows OK

• No network listeners– None of those services are needed, except

admin access for centrally-administered hosts

• Default security settings

• All security controls in one or two places

• Security settings can be locked


Windows OK (cont)

• There should be nothing you can click on, in email or a web page, that can hurt your computer– No portable programs are executed ever,

except…

• ActiveX from approved parties– MSFT and one or two others. List is

lockable


Windows OK

• Reduce privileges in servers and all programs

• Sandbox programs– Belt and suspenders


Office OK

• No macros in Word or PowerPoint. No executable code in PowerPoint files

• The only macros allowed in Excel perform arithmetic. They cannot create files, etc.


Vulnerabilities in OK

• Buffer overflows in processing of data (not from the network)

• Stop adding new features and focus on bug fixes

• Programmers can clean up bugs, if they don’t have a moving target– It converges, to some extent

137 slides

XP SP2

Bill Gets It


Microsoft’s Augean Stables:a task for Hercules

• 3000 oxen, 30 years, that’s roughly one oxen-day per line of code in Windows

• It’s been getting worse since Windows 95


XP SP2: Bill gets it

• “a feature you don’t use should not be a security problem for you.”

• “Security by design”– Too late for that, its all retrofitting now

• “Security by default”– No network services on by default

• Security control panel– Many things missing from it– Speaker could not find ActiveX security settings

• There are a lot of details that remain to be seen.


Microsoft really means it about improving their security

• Their security commitment appears to be real

• It is a huge job

• Opposing forces are unclear to me

• It’s been a long time coming, and frustrating


Microsoft secure client arms race

• We are likely to win, but it is going to be a while


SP2 isn’t going to be easy to deploy

• Many people rely on unsafe configurations, even if they don’t realize it

• Future SPs won’t be easy either, especially if they follow my advice


Windows XP SP2

• Candidate 2 release is available

• Read the EULA…it is interesting and a bit different


SP2 is just a start: more work is needed

• Security panel and ActiveX permissions– Also, list of trusted signers needed

• Still too many network services– They may not be reachable from outside

the box

• Clicking may still be dangerous


Conclusions: we ought to win these battles

• We control the playing field

• DOS is the worse they can do, in theory

• We can replicate our successes

• We can converge on a secure-enough environment


Conclusions: problems

• The business models to achieve these successes seem surprisingly elusive to me

• Security devices, and stand-alone devices, are close to meeting our needs– Except full-functioned routers

• General purpose computers are the big problem– Apparently features are more important

than security, to the customers– Is this really true?

137 slides

My Dad’s Computer and the Future of Internet Security

Bill Cheswick

[email protected]

http://www.lumeta.com

1 of 137Internet Mapping, Columbia. 137 slides Clear and Present Dangers Bill Cheswick Lumeta Corp....

Documents

Transcript of 1 of 137Internet Mapping, Columbia. 137 slides Clear and Present Dangers Bill Cheswick Lumeta Corp....