Some abuse detection hacks ...

prue at ISI.EDU prue at ISI.EDU
Mon Mar 9 20:15:14 UTC 1998


Avi Freedmans post with a perl script to look for network abuses a
while back got me to thinking that a C program could be written to do
what his scripts do in near real time, continuously, if desired.

It is possible to get Cisco routers to dump netflow data records to a
host.  I modified a Cisco demonstration program called fdget.c to look
at the netflow data records and search for illegimate default pointing
or transit routing from unauthorized source AS's to unauthorized
destination AS's.  I have made this program available via anonymous ftp
(not a URL) on venera.isi.edu in subdirectory mon.  This directory is
blind.  You must know what files you wish to retrieve by exact name.

The files of interest are:

atack.c
README.atack
flowdata.h

I hope that you find them useful.

My thanks go to Cisco for letting me distribute this program even though most
of the code was written by Cisco.  So keep in mind any bugs are mine.

Walt Prue
Los Nettos
USC/ISI




More information about the NANOG mailing list