North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Smurf amp detection and notification scripts

  • From: Stephen Sprunk
  • Date: Tue Mar 16 10:54:40 1999

Since no scripts to do what I was looking for have been forthcoming, I broke
down and decided to prove to myself I still know perl.  Find attached the
following:

flow-smurf.pl

Takes a sorted output (simple unix sort) from "sh ip cache flow" and finds
what it believes are smurf amplifiers.  The thresholds for number of bytes,
number of flows, prefix length, etc are all tunable.  Outputs a list of
suspect prefixes.

smurf-email.pl

Takes a list of prefixes, looks them up in whois, and prints a list of
contact email addresses and the associated prefixes.  Also emails the
contacts if you specify a return address.  Requires ipw.

Stephen


ObRandy: "no ip routing" will stop smurf attacks


     |          |         Stephen Sprunk, K5SSS, CCIE #3723
    :|:        :|:        NSA, Network Consulting Engineer
   :|||:      :|||:       14875 Landmark Blvd #400; Dallas, TX
.:|||||||:..:|||||||:.    Pager: 800-365-4578 / 800-901-6078
C I S C O S Y S T E M S   Email: ssprunk@cisco.com


Attachment: flow-smurf.pl
Description: Binary data

Attachment: smurf-email.pl
Description: Binary data