Pondering and Patrolling Perimeter Defenses Bill Cheswick - PowerPoint PPT Presentation

51 of 105 The data can go either way D F C Pondering Perimeters: DOE B E 16 June 2005 A

52 of 105 The data can go either way D F C Pondering Perimeters: DOE B E 16 June 2005 A

But our test packets only go part of the way B C D A E F 16 June 2005 Pondering Perimeters: DOE 53 of 105

54 of 105 D We record the hop… F C Pondering Perimeters: DOE B E 16 June 2005 A

The next probe happens to go the other way B C D A E F 16 June 2005 Pondering Perimeters: DOE 55 of 105

…and we record the other hop… 56 of 105 D F C Pondering Perimeters: DOE B E 16 June 2005 A

We’ve imputed a link that doesn’t exist B C D A E F 16 June 2005 Pondering Perimeters: DOE 57 of 105

Intranet implications of Internet mapping • High speed technique, able to handle the largest networks • Light touch: “what are you going to do to my intranet?” • Acquire and maintain databases of Internet network assignments and usage 16 June 2005 Pondering Perimeters: DOE 58 of 105

Data collection complaints • Australian parliament was the first to complain • List of whiners (25 nets) • On the Internet, these complaints are mostly a thing of the past – Internet background radiation predominates 16 June 2005 Pondering Perimeters: DOE 59 of 105

Visualization goals • make a map – show interesting features – debug our database and collection methods • geography doesn’t matter • use colors to show further meaning 16 June 2005 Pondering Perimeters: DOE 60 of 105

16 June 2005 Pondering Perimeters: DOE 61 of 105

Visualization of the layout algorithm Laying out the Internet graph 16 June 2005 Pondering Perimeters: DOE 62 of 105

16 June 2005 Pondering Perimeters: DOE 63 of 105

16 June 2005 Pondering Perimeters: DOE 64 of 105

Colored by AS number 16 June 2005 Pondering Perimeters: DOE 65 of 105

Map Coloring • distance from test host • IP address – shows communities • Geographical (by TLD) • ISPs • future – timing, firewalls, LSRR blocks 16 June 2005 Pondering Perimeters: DOE 66 of 105

Colored by IP address! 16 June 2005 Pondering Perimeters: DOE 67 of 105

Colored by geography 16 June 2005 Pondering Perimeters: DOE 68 of 105

Colored by ISP 16 June 2005 Pondering Perimeters: DOE 69 of 105

Colored by distance from scanning host 16 June 2005 Pondering Perimeters: DOE 70 of 105

16 June 2005 Pondering Perimeters: DOE 71 of 105

16 June 2005 Pondering Perimeters: DOE 72 of 105

Yugoslavia An unclassified peek at a new battlefield 1999 16 June 2005 Pondering Perimeters: DOE 73 of 105

16 June 2005 Pondering Perimeters: DOE 74 of 105

75 of 105 Un film par Steve “Hollywood” Branigan... Pondering Perimeters: DOE 16 June 2005

16 June 2005 Pondering Perimeters: DOE 76 of 105

77 of 105 Pondering Perimeters: DOE fin 16 June 2005

78 of 105 Intranets: the rest of the Pondering Perimeters: DOE Internet 16 June 2005

16 June 2005 Pondering Perimeters: DOE 79 of 105

16 June 2005 Pondering Perimeters: DOE 80 of 105

16 June 2005 Pondering Perimeters: DOE 81 of 105

This was Supposed To be a VPN 16 June 2005 Pondering Perimeters: DOE 82 of 105

16 June 2005 Pondering Perimeters: DOE 83 of 105

16 June 2005 Pondering Perimeters: DOE 84 of 105

Detecting perimeter leaks: not all spoofing is evil Lumeta’s Special Sauce 2000 16 June 2005 Pondering Perimeters: DOE 85 of 105

Types of leaks • Routing leaks – Internal routes are announced externally, and the packets are allowed to flow betwixt • Host leaks – Simultaneously connected inside and out, probably without firewall-functionality – Not necessarily a dual-homed host • “Please don’t call them leaks” – They aren’t always a Bad Thing 16 June 2005 Pondering Perimeters: DOE 86 of 105

Routing leaks • Easily seen on maps • Shows up in our reports • Generally easily fixed 16 June 2005 Pondering Perimeters: DOE 87 of 105

Host leak detection • Developed to find hosts that have access to both intranet and Internet • Or across any privilege boundary • Leaking hosts do not route between the networks • Technology didn’t exist to find these 16 June 2005 Pondering Perimeters: DOE 88 of 105

Possible host leaks • Miss-configured telecommuters connecting remotely • VPNs that are broken • DMZ hosts with too much access • Business partner networks • Internet connections by rogue managers • Modem links to ISPs 16 June 2005 Pondering Perimeters: DOE 89 of 105

Leak Detection Prerequisites • List of potential leakers: obtained by census • Access to intranet • Simultaneous availability of a “mitt” 16 June 2005 Pondering Perimeters: DOE 90 of 105

Leak Detection Layout • Mapping host with mitt Mapping host address A is D A connected to the intranet • Mitt with address D Internet intranet has Internet access • Mapping host and mitt are currently the same host, with C B two interfaces Test host 16 June 2005 Pondering Perimeters: DOE 91 of 105

Leak Detection mitt Mapping host • Test host has D A known address B on the intranet • It was found via Internet intranet census • We are testing for unauthorized access to the C B Internet, possibly Test host through a different 16 June 2005 Pondering Perimeters: DOE 92 of 105 address, C

Leak Detection mitt Mapping host • A sends packet to D A B , with spoofed return address of D • If B can, it will reply Internet intranet to D with a response, possibly through a different interface C B Test host 16 June 2005 Pondering Perimeters: DOE 93 of 105

Leak Detection mitt Mapping host • Packet must be crafted D A so the response won’t be permitted through the firewall • A variety of packet Internet intranet types and responses are used • Either inside or outside address may be C B discovered Test host • Packet is labeled so we know where it came 16 June 2005 Pondering Perimeters: DOE 94 of 105 from

Inbound Leak Detection mitt Mapping host • This direction is D A usually more important • It all depends on Internet intranet the site policy… • …so many leaks might be just fine. C B Test host 16 June 2005 Pondering Perimeters: DOE 95 of 105

Inbound Leak Detection mitt Mapping host D A Internet intranet C B Test host 16 June 2005 Pondering Perimeters: DOE 96 of 105

Leak results • Found home web businesses • At least two clients have tapped leaks – One made front page news • From the military: “the republic is a little safer” 16 June 2005 Pondering Perimeters: DOE 97 of 105

Case studies: corp. networks Some intranet statistics Min Max Intranet sizes (devices) 7,900 365,000 Corporate address space 81,000 745,000,000 % devices in unknown address space 0.01% 20.86% % routers responding to "public" 0.14% 75.50% % routers responding to other 0.00% 52.00% Outbound host leaks on network 0 176,000 % devices with outbound ICMP leaks 0% 79% % devices with outbound UDP leaks 0% 82% Inbound UDP host leaks 0 5,800 % devices with inbound ICMP leaks 0% 11% % devices with inbound UDP leaks 0% 12% % hosts running Windows 36% 84% 16 June 2005 Pondering Perimeters: DOE 98 of 105

We developed lot of stuff • Leak detection (that’s the special sauce) • Lots of reports: the hardest part is converting data to information • Route discovery: TTL probes plus SNMP router queries • Host enumeration and identification: ping and xprobe-style host identification • Server discovery: SYN probes of popular TCP ports • Wireless base station discovery: xprobe, SNMP, HTTP • And more…ask the sales people • The “zeroth step in network intelligence” – me 16 June 2005 Pondering Perimeters: DOE 99 of 105

100 of 105 IP Sonar Pondering Perimeters: DOE 2003 16 June 2005