Thursday, September 16, 2010

What is Network and Host Mapping

The goal of host mapping is simply to determine what hosts or services are available in a facility. In some sense, the odds are in the analyst's favor; we are defending sparse matrices. Suppose you have a class B network, 172.20.0.0—that is 65,536 possible addresses. There are also 65,536 TCP ports and 65,536 UDP ports. That means that the attacker has in excess of 23 trillion possible targets. Scanning at a rate of 18 packets per second, it would take a shade under five million years to completely scan the network. Because computers have a life span of between three and five years, the rate of change confounds the usefulness of the scan.

Now to be sure, attackers are coming up with smarter and faster scanning techniques. There is no need for an attacker to consider all possible port numbers. Fifty TCP and UDP ports will account for all the probable services, so the target space is something in the range of 163 million, which could be scanned in less than four months at 18 packets per second. Hmmmm, that is achievable! And if the site doesn't have intrusion detection, the site owners will probably never know if the attacker's scan randomizes the addresses and ports a bit.
But if the attackers can get an accurate host map, they can turn the tables on those of us who defend networks. Many address spaces are lightly populated. If the attacker is able to determine where the hosts are, they have a serious advantage. Say our class B network was populated with only about six thousand computers and the attacker can find them. Now, the attacker can scan the populated hosts on the net, at 18 packets per second, in less than ten days—and there still are much more efficient ways to do the scan. In fact, if we allow ICMP echo request broadcasts, they can ping map our network with only 255 packets.
The point of the story is obvious. If attackers are not able to get intelligence information about our site, they are forced to guess about a very sparse matrix. If we do let their intelligence-gathering probes succeed, then they don't have to do much guessing at all different.
So how could an attacker get such an accurate host map? Many sites still make a "host table" available for FTP download. Other sites allow DNS Zone transfers. Or perhaps the attacker will have to work to discover this information with host scans.

No comments:

Post a Comment