Smurf amp detection and notification scripts

• Previous message (by thread): domain IN-ARPA.ADDR
• Next message (by thread): Smurf amp detection and notification scripts
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Since no scripts to do what I was looking for have been forthcoming, I broke
down and decided to prove to myself I still know perl.  Find attached the
following:

flow-smurf.pl

Takes a sorted output (simple unix sort) from "sh ip cache flow" and finds
what it believes are smurf amplifiers.  The thresholds for number of bytes,
number of flows, prefix length, etc are all tunable.  Outputs a list of
suspect prefixes.

smurf-email.pl

Takes a list of prefixes, looks them up in whois, and prints a list of
contact email addresses and the associated prefixes.  Also emails the
contacts if you specify a return address.  Requires ipw.

Stephen


ObRandy: "no ip routing" will stop smurf attacks


     |          |         Stephen Sprunk, K5SSS, CCIE #3723
    :|:        :|:        NSA, Network Consulting Engineer
   :|||:      :|||:       14875 Landmark Blvd #400; Dallas, TX
.:|||||||:..:|||||||:.    Pager: 800-365-4578 / 800-901-6078
C I S C O S Y S T E M S   Email: ssprunk at cisco.com


-------------- next part --------------
A non-text attachment was scrubbed...
Name: flow-smurf.pl
Type: application/octet-stream
Size: 1323 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/19990316/fe9aa7d8/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smurf-email.pl
Type: application/octet-stream
Size: 3034 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/19990316/fe9aa7d8/attachment-0001.obj>

• Previous message (by thread): domain IN-ARPA.ADDR
• Next message (by thread): Smurf amp detection and notification scripts
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]