Check out the new USENIX Web site. next up previous
Next: Map Layout Up: Network Mapping Previous: Network Mapping

Mapping, Not Hacking

We do not want our tracing to be confused with hacking probes, so the mapping must proceed gingerly. The mapping program probes with UDP packets addressed to high port numbers ranging from about 33,000 to 50,000. Most intrusion detection systems recognize these as traceroute-style packets, though our port range is larger than traceroute's. At worse, the probes tend to confuse system administrators, as there are few real services that use these ports.

The path is discovered one hop at a time. For each hop, a probe is sent out. If no reply is received in 5 seconds, a second probe is sent. If no reply is received to the second probe in 15 more seconds, a third probe is sent. If no reply is received within 45 seconds after the third probe is sent, the path discovery is halted. Stopping a path trace after failing only one hop stops us from discovering the second half of many paths [5], but makes us less threatening network citizens. A new scanner will try one hop beyond these IP ``holes'', giving us some idea of what we are missing.

Since we do not want our mapping to be confused with hacking network probes, it is vital that curious system administrators can easily determine what we are doing. Our first clue to them is the name of our mapping host, ches-netmapper, and the domain research.bell-labs.com. This name itself tells most of the story, and we think this makes most administrators who do notice the packets nod and move on to other work.

We maintain a web page describing this project [22]. Tom Limoncelli, who runs the network that contains our mapping host, has had to field a number of queries about our activities, added a DNS TXT record to netmapper's entry that points to our web page. In addition, he suggested the world's shortest (and safest) web server to direct queries to the project's web page (the web server just cat's a file).

A few network administrators have complained. They either did not like the probe, or our packets cluttered their logs. (The Australian Parliament was the first on the list!). We record these networks in an opt-out list and cease probing them. Certainly others may have simply blocked our packets, or filtered our probes out of their logs. It would be interesting to compare hosts that were reached early in the scans and later fell out of sight.

We have been in touch with a number of emergency response groups to explain our activity. We want them to understand the mapping activity and satisfy their justifiable curiosity. We would have a much harder time justifying our probes if we ran overt host or port scans, which often precede a hacking attack. We believe only a tiny percentage of the Internet system administrators have noticed our mapping efforts.

The mapping machine itself is highly resistant to network invasion: some other network scans have promoted powerful hacking responses. Of course, like any other publicly-accessible machine, it could fall to denial-of-service attacks.


next up previous
Next: Map Layout Up: Network Mapping Previous: Network Mapping
Hal Burch 2000-04-18