Mapping the Internet and intranets Steve Branigan Hal Burch Bill Cheswick Bell Labs, Lucent Tech.
Motivations • Work on DOS anonymous packet trace back - Internet tomography. • Highlands “day after” scenario • Curiosity about size and growth of the Internet • Same tools are useful for understanding any large network, including intranets
Long term reliable collection of Internet and Lucent connectivity information without annoying too many people Attempt some simple visualizations of the data movie of Internet growth! Develop tools to probe intranets Extended database for researchers The Project
Uses for the Internet data • topography studies • long-term routing studies • publicly available database (“open source”) for spooks • interesting database for graph theorists • combine with other mappers to make an actual map of the Internet
Uses for intranet data • Map “inside” the security perimeter • Take a census of Lucent hosts • Discover hosts that have unauthorized access to both the intranet and the Internet • illegal connections • miss-configured firewalls • maybe miss-configured telecommuters
Network scanning Custom program Concurrently scans towards 500 nets at once Throttled to 100 packets/sec: can do much faster Slow daily scan for host on destination network
Limitations • My view of the Internet, not yours • radical shifts when our ISP situation changes • Outgoing paths only • Takes a while to collect alternating paths • Gentle mapping means missed endpoints • good v. evil
Data collection complaints Australian parliament was the first to complain List of whiners (25 nets) Military noticed immediately Steve Northcutt arrangements/warnings to DISA and CERT
Visualization goals make a map show interesting features debug our database and collection methods hard to fold up geography doesn’t matter use colors to show further meaning
Early layouts Interesting art tantalizing edges interior shows ISPs (colored by IP address!) can’t trace routes can’t even find the probe host
When data is inconvenient, throw some away minimum distance spanning tree connectivity, not actual paths we get more information out of it add other paths to show further information
Current map coloring distance from test host IP address shows communities Geographical (by TLD) ISPs future timing, firewalls, LSRR blocks
Yugoslavia Serbia and Bosnia
Results - Internet database 100,000 of the world’s most important routers >150 routes to one destination! Yugoslavia bombing of power infrastructure is apparent Offers for other scan points how to pick them?
Recipe for good intranet security • Know what you have. • Then secure it.
Some basic questions… • How large is the network address space for your network? • How many system are actually active on the network? • How much does the network change?
What is an intranet • any network too large to control • hosts residing inside a firewall perimeter • business partner connections • corporate hosts outside of the firewall • DMZs