Smurf Amp Nets

• Previous message (by thread): Smurf Amp Nets
• Next message (by thread): Smurf Amp Nets
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 17 Jun 1998, Andrew Herdman wrote:

> Sorry to pollute the list with yet another e-mail about Smurf
> Amp's, but at this very second, an IRC server that I run is being
> hammered from these networks.  I tried registering them in SAR, got
> some of them in, but some wouldn't take, and entering all 132 nets
> manually is kind of cumbersome. *hint hint*  I've also assumed they

So why are you registering them with SAR manually?  Here are some scripts
I wrote for my own use...but maybe others will benefit from them.

First one, I call smurfstat.  It expects a list of IP addresses on stdin.
I use it by piping tcpdump output through a little command-line awk that
reduces each line to just the source IP.  It generates output like what I
posted a few days ago.

#!/usr/bin/perl

use Getopt::Std;
getopts('nh');

while (<STDIN>) {
        chomp;
        $addr = $_;
        (@net_parts) = split /\./, $addr;
        $net = join('.',$net_parts[0],$net_parts[1],$net_parts[2]);
        $nets{$net}++ unless ($addrs{$addr}++);
}

unless ($opt_n){
        print "\nNetworks\n";
        foreach (sort {$nets{$b} <=> $nets{$a}} keys(%nets)) {
                printf("%-12s %d\n","$_:", $nets{$_});
        }
}

unless ($opt_h){
        print "\n---\nHosts\n";
        foreach (sort {$addrs{$b} <=> $addrs{$a}} keys(%addrs)) {
                printf("%-16s %d\n","$_:", $addrs{$_});
        }
}


Next...because registering hundreds of networks by hand would be annoying
and time consuming, we have smurfreg.  You can pipe the output of
smurfstat right into smurfreg.  It will ignore some of the common invalid
addresses found in analyzing smurfs like 0/8, 255.255.255/24, 10/8,
192.168/16.  I didn't bother trying to come up with an expression for
172.16/12. 

#!/usr/bin/perl

while (<STDIN>) {
  ($net,$junk)=split /:/,$_,2;
  if (($net=~/\d+\.\d+.\d+/) && !($net=~/^(0\.)|(10\.)|(192\.168)|(255\.255\.255)/)){ 
    system("lynx -dump http://www.powertech.no/smurf/probe.cgi?network=$net");
  }
  elsif ($net=~/---/) {
    die "\ndone.\n";
  }
}

What does it mean when the SAR says "No entry found for that network."?
Many of the nets I'm in the process of registering result in that, even
though they still have multiple hosts responding and are in the whois
databases.
 
------------------------------------------------------------------
 Jon Lewis <jlewis at fdt.net>  |  Spammers will be winnuked or 
 Network Administrator       |  drawn and quartered...whichever
 Florida Digital Turnpike    |  is more convenient.
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____

• Previous message (by thread): Smurf Amp Nets
• Next message (by thread): Smurf Amp Nets
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]