Fun with FCC part

bubblesradiographerServers

Dec 4, 2013 (3 years and 10 months ago)

278 views

41 slides

Fun with FCC part
15

Home speaker system on 107.3

(and that’s not easy in the NYC/PHL area)

41 slides

Emulating large
intranets with
honeyd

Bill Cheswick

ches@lumeta.com

41 slides

This talk was
going to be
boring…

41 slides

Another Reason
Why I Like the
Window Seat

Bill Cheswick

41 slides

Mapping the
Internet and
Intranets


Steve Branigan, Hal Burch, Bill
Cheswick

ches@lumeta.com

Mapping the Internet and intranets slide
6

of 41

41 slides

How To Take the
Internet Down for
a week

Bill Cheswick

<
startup
-
name
>

ches@bell
-
labs.com

ches@cheswick.com

41 slides

Our digital house

By Kestrel, Terence, Lorette, and Bill
Cheswick

41 slides

Emulating large
intranets with
honeyd

Bill Cheswick

ches@lumeta.com

Mapping the Internet and intranets slide
10

of 41

Mapping the Internet and intranets slide
11

of 41

Mapping the Internet and intranets slide
12

of 41

Free at last!


Nagata


Varley


Etc.

41 slides

Anything large
enough to be
called an
“intranet” is

out of control



Mapping the Internet and intranets slide
14

of 41

Lumeta


Spun off from Bell Labs in Sept. 2000


B round funding last June


Building a hang glider…

41 slides

Inside the
Kimono…

Mapping the Internet and intranets slide
16

of 41

Mapping the Internet and intranets slide
17

of 41

Mapping the Internet and intranets slide
18

of 41

Mapping the Internet and intranets slide
19

of 41

Mapping the Internet and intranets slide
20

of 41

Mapping the Internet and intranets slide
21

of 41

Mapping the Internet and intranets slide
22

of 41

Mapping the Internet and intranets slide
23

of 41

Mapping the Internet and intranets slide
24

of 41

Mapping the Internet and intranets slide
25

of 41

Mapping the Internet and intranets slide
26

of 41

Some intranet statistics

from Lumeta clients

Intranet sizes (devices)
7,900
365,000
Corporate address space
81,000
745,000,000
Address space usage efficiency
% devices in unknown address space
0.01%
20.86%
% routers responding to "public"
0.14%
75.50%
% routers responding to other
0.00%
52.00%
Outbound host leaks on network
0
176,000
% devices with outbound ICMP leaks
0%
79%
% devices with outbound UDP leaks
0%
82%
Inbound UDP host leaks
0
5,800
% devices with inbound ICMP leaks
0%
11%
% devices with inbound UDP leaks
0%
12%
% hosts running Windows
36%
84%
Mapping the Internet and intranets slide
27

of 41

But how do we debug our
software?


We used to use Lucent’s network back when
I was working at Bell Labs


We have a very light touch on our clients’
networks, and they like it that way


The Bank of Zork (NASDAQ: BOZO) doesn’t
want us practicing on their network

Mapping the Internet and intranets slide
28

of 41

Simulation vs emulation


Simulators run packet flows over imaginary
networks


Often run to test routing and queuing
algorithms


Emulator wants to appear to be the network

Mapping the Internet and intranets slide
29

of 41

What does a chief
scientist do?


Primarily a prima donna


Certainly not in development


Travel too much to keep deadline
promises


Never was good at all
-
nighters


Find a project that would be nice, but
nobody is waiting for


QA was a fine place to look

Mapping the Internet and intranets slide
30

of 41

Honeyd


Written by Niels Provos at citi.umich.edu


Name unrelated to, and vexes, Peter
Honeyman, also of citi.umich.edu


Designed to emulate one or more computers
in a single host to lure and confuse hackers


Responds using nmap and other host
fingerprinting databases


User scripts available to emulate specific
web and other network server software

Mapping the Internet and intranets slide
31

of 41

Honeyd


Designed to emulate one or more computers
in a single host to lure and confuse hackers


User scripts available to emulate specific
web and other network server software


Microsoft IIS web server


A number of text
-
based services are
emulated in available scripts

Mapping the Internet and intranets slide
32

of 41

Honeyd


Host fingerprint identification based on
probe databases


Nmap


xprobe

Mapping the Internet and intranets slide
33

of 41

My Honeyd project


Make honeyd configuration scripts that build
our clients’ networks from the data we
obtain


Add UDP servers for


DNS (name service)


SNMP (Simple Network Management
Protocol)

Mapping the Internet and intranets slide
34

of 41

Uses


Perfect test network for QA


Unchanging….diff the pages


Build pathological network configurations


Training


Sales demos


Could this be a product?


Mapping the Internet and intranets slide
35

of 41

My honeyd scripts


Generates entire network description for
honeyd based on our client data


You want a 50,000 node network based on
real data? No problem. 300,000 nodes? OK


DNS emulates name server lookups


Routers respond with SNMP data


Mapping the Internet and intranets slide
36

of 41

How good is the
emulation?


Handles pings and traceroutes with no
problem


Handles “stealth hosts”, routers that don’t
issue TTL exceeded messages


Even does a fair job of simulating latencies


Emulator for SNMP and DNS queries


This is good enough for us: we don’t collect
other data at present


Real networks change as you test them.

Mapping the Internet and intranets slide
37

of 41

Real

Mapping the Internet and intranets slide
38

of 41

Simulated

Mapping the Internet and intranets slide
39

of 41

Certainly not perfect


There isn’t nearly as much state in our
network emulation as there is in a real
network


CPU time becomes an issue, and the
emulator is not efficient at the moment


Moore’s law is a big help here


Host fingerprinting could make the network
much more convincing


We are working on it


Could just fake it

Mapping the Internet and intranets slide
40

of 41

Future work


Many incremental improvements to network
simulations


Honeyd performance improvements


Might release a large cleansed network
configuration for research purposes

41 slides

Emulating large
intranets with
honeyd

Bill Cheswick

ches@lumeta.com