[23356] in North American Network Operators' Group
Smurf amp detection and notification scripts
daemon@ATHENA.MIT.EDU (Stephen Sprunk)
Tue Mar 16 10:56:53 1999
From: "Stephen Sprunk" <ssprunk@cisco.com>
To: <nanog@merit.edu>
Date: Tue, 16 Mar 1999 09:50:57 -0600
This is a multi-part message in MIME format.
------=_NextPart_000_007D_01BE6F92.7E0333C0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Since no scripts to do what I was looking for have been forthcoming, I broke
down and decided to prove to myself I still know perl. Find attached the
following:
flow-smurf.pl
Takes a sorted output (simple unix sort) from "sh ip cache flow" and finds
what it believes are smurf amplifiers. The thresholds for number of bytes,
number of flows, prefix length, etc are all tunable. Outputs a list of
suspect prefixes.
smurf-email.pl
Takes a list of prefixes, looks them up in whois, and prints a list of
contact email addresses and the associated prefixes. Also emails the
contacts if you specify a return address. Requires ipw.
Stephen
ObRandy: "no ip routing" will stop smurf attacks
| | Stephen Sprunk, K5SSS, CCIE #3723
:|: :|: NSA, Network Consulting Engineer
:|||: :|||: 14875 Landmark Blvd #400; Dallas, TX
.:|||||||:..:|||||||:. Pager: 800-365-4578 / 800-901-6078
C I S C O S Y S T E M S Email: ssprunk@cisco.com
------=_NextPart_000_007D_01BE6F92.7E0333C0
Content-Type: application/octet-stream;
name="flow-smurf.pl"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="flow-smurf.pl"
#!/usr/local/bin/perl
#
# flow-smurf.pl, 1.3
# Stephen Sprunk <ssprunk@cisco.com>
# Ben Black <black@layer8.net>
# (c)1999 All rights reserved.
#
# input: sorted output from "sh ip cache flow"
# output: list of probable smurf amplifiers
#
# Command line options:
# -p n Prefix length for grouping addresses (default 24)
# -s n Minimum ICMP size to consider (default 100 bytes)
# -f n Minimum flows per prefix (default 3)
# -b n Minimum bytes per prefix (default 1000000)
#
# If minimum flows OR minimum bytes is exceeded, the flow is marked
#
use Socket, Getopt::Std;
getopt('p:s:f:b:');
$prefix =3D $opt_p ? $opt_p : 24;
$minsize =3D $opt_s ? $opt_s : 100;
$minflows =3D $opt_f ? $opt_f : 3;
$minbytes =3D $opt_b ? $opt_b : 1000000;
$mask =3D 0xffffffff >> (32-$prefix) << (32-$prefix);
while (<>) {
s/ */ /;
($srcif, $srcip, $dstif, $dstip, $pr, $srcp, $dstp, $pkts, $bppk, =
$active) =3D
split;
$srcnet =3D (unpack N,inet_aton($srcip)) & $mask;
next unless (($pr =3D=3D 1) && ($bppk >=3D $minsize));
if ($oldnet !=3D $srcnet) {
$flows =3D 0;
$bytes =3D 0;
$printed =3D 0;
$oldnet =3D $srcnet;
}
$flows++;
$bytes +=3D $pkts * $bppk;
next unless (($flows >=3D $minflows) || ($bytes >=3D $minbytes));
print inet_ntoa(pack N, $srcnet) . "\n" unless $printed;
$printed =3D 1;
}
------=_NextPart_000_007D_01BE6F92.7E0333C0
Content-Type: application/octet-stream;
name="smurf-email.pl"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="smurf-email.pl"
#!/usr/local/bin/perl
#
# smurf-email.pl, v1.5
# Jeff Weisberg <jaw@Op.Net>
# Stephen Sprunk <ssprunk@cisco.com>
# Ben Black <black@layer8.net>
# (c)1999 All Rights Reserved.
#
# input: list of smurf amplifiers
# output: list of emails addresses and networks (plus email sent)
#
# Requires: ipw, available at http://www.e-scrub.com/ipw/
#
# Command line options:
# -e AAA From: Email Address (no default)
# -n AAA From: Username (default Network Operation Center)
#
# NOTE- If no email address is specified with -e, no email will
# be sent. You've been told.
#
Use Getopt::Std;
getopt('e:n:');
$youremail = $opt_e;
$yourname = defined($opt_n) ? $opt_n : 'Network Operations Center';
while (<>) {
chop;
$net = $_;
$_ = `ipw -t $net`;
$email = /\@/ ? $_ : 'FAIL';
$amps{$email} .= "$net ";
}
for (keys %amps) {
$nets = $amps{$_};
print "$_ $nets\n";
next if ((/NOWHERE/)||(/iana\@iana.org/)||(/FAIL/)||(!$youremail));
$nets =~ tr/ /\n/;
open(E, "|sendmail -t");
print E <<EOF
To: $_
From: $yourname <$youremail>
Reply-To: $yourname <$youremail>
Subject: Denial of Service attacks launched through your machines.
Network(s):
$nets
Your machines were being used to mount a denial of service attack
against one of our machines. This not only uses up our bandwidth but
yours. The exact type of attack is typically called a `smurf' attack :
A "smurf attack" is a denial-of-service attack which is launched from
a network, frequently a dial-up connection, with the intention of
burying the victim's network access with packets beyond their ability
to carry the traffic load presented. This is accomplished by sending
a forged ICMP packet to a smurf amplifier destination, on the
broadcast address, bearing the source address of the victim's
computer. The smurf amplifier network dutifully responds from all
network hosts on that segment, amplifying the transmitted packet by up
to 200-fold. These packets are then returned to the victim's computer,
swamping its connection and rendering it useless. It is possible to
completely destroy host connectivity even on ethernet-speed
connections (6x a T1) with just a modem connection to the Internet
using this technique. A T1 customer using this technique can bury an
OC3 (155mbps) circuit, assuming sufficient amplifier bandwidth can be
found. { from http://www.mcs.net/smurf }
Some simple changes to your router configurations can keep your
machines from being used as smurf amplifiers.
More information on smurfs, including what to do about them, can be
found at :
http://www.quadrunner.com/~chuegen/smurf.txt
and
http://www.mcs.net/smurf
You're receiving this email because you're listed with an IP registry
as being the maintainer of one of the networks where I'm seeing ICMP
echo requests coming from.
I'd greatly appreciate it if you could fix your routers so your
networks cannot be abused in this manner.
Thanks.
-- $yourname
EOF
;
close E;
}
------=_NextPart_000_007D_01BE6F92.7E0333C0--
