Mapping the Internet

The other day, I attended a talk by Bill “Ches” Cheswick of Lumeta at the Princeton Joint Chapter of the ACM and IEEE Computer Society. If you haven’t seen him give a talk and you have the opportunity to do so, I recommend it. His style is quite entertaining. He co-authored the book Firewalls and Internet Security with Steven Bellovin, and Avi Rubin.

He began the talk by discussing Internet security and then followed with a discussion of his Internet mapping work that eventually led to the creation of the Lucent/Bell Labs spin-off company, Lumeta.

For the Internet security portion of the talk, Ches focused on perimeter defense. He showed lots of fun pictures of examples of perimeter defense—everything from cell membranes to castle moats to The Great Wall of China. He also showed real-life failure modes including breeched levees in New Orleans and a castle that had a large portion blown out when the enemy got in and had ignited the stored gunpowder.

His point, of course, is that a network connection can be thought of as a perimeter in need of a defense. These days, it is prudent to have multiple layers of defense. For example, a home network can be protected from the Internet with a dedicated firewall device and each computer on that home network can be running its own firewall software or be otherwise locked down. Are two layers overkill for a home network? Probably not—especially if you have “users” on your network who download (right through that firewall device) programs of dubious lineage. Once malicious software is running inside your network, it’s every computer for itself.

Now, it is certainly possible to protect a computer with only one layer of defense. In fact, if you think about it, the firewall device itself is a computer with only one layer of defense. This is okay because the folks who build the firewall spend a lot of time making sure it works correctly. If you’re a bit of a thrill-seeker, you can connect your PC directly to the Internet without a dedicated firewall. Bill Cheswick calls this “skinny-dipping on the Internet” because it’s exciting, dangerous, and (for the right crowd) fun. He admitted to skinny-dipping with NetBSD and Linux based machines. I’ll save the details of locking down a Linux machine for another time.

The Internet mapping portion of the talk covered data acquisition, map generation, and interpretation. Data acquisition is fairly straightforward: lightweight traceroute-like packets are trickled out to destinations on the Internet and the return (or lack of return) is noted. Since Ches has been collecting data daily since 1998, he had some interesting stories about poeple complaining/inquiring about these probes. My favorite one-liner from this portion of the talk was: “if you want to be a stealthy mapper, pretend you’re an infected machine.” These days, there are enough virus-infected machines generating background noise that a mapper may be able to hide in the crowd.

As Ches explained, the easy part is collecting the data; “the hardest part is converting the data to information.” The fun begins when you try to visualize it. If you haven’t seen his maps, you can find some here. The basic technique is to start adding nodes to the page and have the nodes that are directly connected attract one another and have the nodes that are not directly connected repel one another. I’m sure there is more to it than that–for example, I’d guess that at close range, all nodes repel one another. It sounds as if knowing how to twiddle the attract/repel knobs to produce pretty pictures must be a bit of an art.

Other than pretty art, the utility of the maps is in their interpretation. Two of the examples he gave were (1) remote assessment of bomb damage and (2) what you can learn when you map your own network.

In the first case, he showed a video of Internet maps of Yugoslavia in May 1999. It was very obvious when communication lines and/or power were affected as large parts of the map would change significantly. It’s interesting to compare these maps with a timeline of the war from NPR.

In the second case, he described the benefit of turning the mapper inward and scanning one’s own network. By showing where probes spill from an intranet to the Internet, one can identify firewalls and gateway routers (normal stuff) as well as other router leaks—machines routing packets when they shouldn’t (at best, a forgotten router; at worst, a hacked machine). He wrapped up by describing host leaks and how to detect them. A host leak is a machine that does not route packets yet is simultaneously connected both inside and outside a firewall (when it should only be connected to one side). These machines represent a latent security fault; break into that machine and you create a router leak that bypasses the firewall. To detect a host leak, he explained that one can send a packet to the target host with a spoofed source address. If the initiating host is on one side of the firewall and the spoofed address points to a host on the other side of the firewall, any replies received by the spoofed machine indicate that the target host is connected to both sides of the firewall.

Ches wrapped up the talk with a Q&A session and gave away 4–5 of his Internet maps. Sadly, I did not get one—maybe next time.

Leave a Reply