SMURF Detector Software

prue at ISI.EDU prue at ISI.EDU
Thu Jan 28 19:28:18 UTC 1999


I, as many of you have had to deal with various types of denial of service
attacks or other attacks.  A good number of these attacks can be characterized
by one host sending to many destinations, many hosts on one subnet sending
to one destination, one host sending to very similar or the same IP address 
(host/port scans) etc.

Confronted with detecting this to warn my customers if they are victims, or
admonish my customers if they are the culprits, I wrote a tool
to give me some indication when this kind of thing is going on, while it
is still happening using netflow data.

I modified Ciscos' fdget program they make available on one of their
ftp sites to look for self similar source or destination addresses in
netflow data blocks.  Thanks go to Cisco for leting me distribute this
to the group.

You can give it a try if you want.  It is avaliable via anonymous ftp on in subdirectory mon.  The file names you will need to 
know to retrieve by name are:

smurfind.c                   C program
README.smurfind              documentation
flowdata.h                   C program definitions (written by cisco folks)
smurfind.rc                  sample data file

You can't do an ls on the directory.  I used version 5 netflow data to debug
the code.  I haven't tested it against version 1 or other versions.

B.T.W.  The program dumps legitimate data as suspect.  If however the rate at
which the program shows suspect data changes, that is when you need to 
look more closely.

The output from the program is very valuable to confront the guilty party 
to demonstrate that something inapropriate is going on.  

Let me know what you think.

Walt Prue
Los Nettos

More information about the NANOG mailing list