Tool for automatically educating smurf amplifiers ...
buglord at ex-pressnet.com
Tue Jul 7 12:30:42 UTC 1998
From: Doug McLaren <dougmc at feeding.frenzy.com>
To: nanog at merit.edu <nanog at merit.edu>
Date: Monday, July 06, 1998 3:06 PM
Subject: Tool for automatically educating smurf amplifiers ...
>Lately one of our machines has been the target of several smurf
>attacks (no idea why, probably some user kicked off an IRCer from
>their channel or something equally silly) and so I set out to email
>each of the sites used as smurf amplifiers ...
>I couldn't find any sort of tool to do this for me, so I wrote one.
>It's certainly still needs some work, but I think it'll be useful in
>it's current condition to anybody else who's tried to do this.
>If we can notify the smurf amplifiers that they're being abused and
>let them know what they need to do to fix it, maybe we can make smurf
>attacks a thing of the past (or at least less effective, as the
>smurfers will have to look harder to find good amplifiers.)
>In any event, you can get my program at :
>There's lots of room for improvements, so if you have some changes, by
>all means send them to me.
>It uses `ipw' to get contact information. If you don't have `ipw',
>get it from :
>Also, while you may wish to use `tcpdump' or look at your router's
>logs to see where the ICMP echo reply packets were coming from, I was
>using icmpinfo, which you can get from :
>So far, after running the program once and sending out about 50
>emails, I've gotten about 17 bounces and about 15 emails saying
>they'll fix or have fixed their routers, and two or three emails
>asking for details or a more clear explanation ... fairly promising.
Not to toot my own horn but you might wanna try using a little proggy I
wrote called SmurfLog, available at http://www.sy.net/security. It only
records echo replies from unique /24's, preventing the few gig logfiles that
you can get from icmpinfo.
More information about the NANOG