nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Tool for automatically educating smurf amplifiers ...

From: "Richard Thomas" <buglord () ex-pressnet com>
Date: Tue, 7 Jul 1998 08:30:42 -0400
-----Original Message-----
From: Doug McLaren <dougmc () feeding frenzy com>
To: nanog () merit edu <nanog () merit edu>
Date: Monday, July 06, 1998 3:06 PM
Subject: Tool for automatically educating smurf amplifiers ...



Lately one of our machines has been the target of several smurf
attacks (no idea why, probably some user kicked off an IRCer from
their channel or something equally silly) and so I set out to email
each of the sites used as smurf amplifiers ...

I couldn't find any sort of tool to do this for me, so I wrote one.

It's certainly still needs some work, but I think it'll be useful in
it's current condition to anybody else who's tried to do this.

If we can notify the smurf amplifiers that they're being abused and
let them know what they need to do to fix it, maybe we can make smurf
attacks a thing of the past (or at least less effective, as the
smurfers will have to look harder to find good amplifiers.)

In any event, you can get my program at :

  http://www.frenzy.com/~dougmc/smurf-complain.pl

There's lots of room for improvements, so if you have some changes, by
all means send them to me.

It uses `ipw' to get contact information.  If you don't have `ipw',
get it from :

  http://www.e-scrub.com/ipw

Also, while you may wish to use `tcpdump' or look at your router's
logs to see where the ICMP echo reply packets were coming from, I was
using icmpinfo, which you can get from :

  http://hplyot.obspm.fr/~dl/icmpinfo.html

So far, after running the program once and sending out about 50
emails, I've gotten about 17 bounces and about 15 emails saying
they'll fix or have fixed their routers, and two or three emails
asking for details or a more clear explanation ... fairly promising.


Not to toot my own horn but you might wanna try using a little proggy I
wrote called SmurfLog, available at http://www.sy.net/security. It only
records echo replies from unique /24's, preventing the few gig logfiles that
you can get from icmpinfo.
Previous By Date Next
Previous By Thread Next

Current thread: