North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Some abuse detection hacks...

  • From: Avi Freedman
  • Date: Thu Feb 26 14:20:37 1998 
I was trying to track down some extra traffic we were seeing across
a FDDI XP.  Downgrading to 11.1.?? or whatever that supports cflowd
with the right flow-export verion wasn't a quick option.

So I wrote a little program...

But first, an even quicker hack:

Step (1) grab 'sho ip cache flow' output on the router to a file.

Then:
% grep "^Fd4/1/0" flow | grep " Fd4/1/0 " | more

Will show you all flows (w/ source and dest IP, of course) which came
in and went out your FDDI.  If someone's defaulting to you, this
should actually catch it.

But to be more thorough, also grab your transit routes (for us it's
'sho ip bgp community-list 4') to a file.

Then run the following little perl program.  It'll spit out lines
of flows that came in your Fddi interface destined to IPs that you're
not transitting.

Also, set the $srcif variable below to the appropriate value for your router.

If I feel frisky I'll spend a few minutes and integrate chat2.pl stuff
so you don't have to grab the data by hand - or someone else is welcome to...

Avi

---------------------

#!/usr/local/bin/perl

# By Avi Freedman/Net Access ([email protected]), 2/26/98
# Do with as you will.

# Expand $cidrtable if you announce routes < /16.
# Don't run with routes < /13 unless you have lots of time and swap space.

# Put your transit routes in ./routes.
# Put your 'sho ip cache flow' output in ./flow.
# Set $srcif - it must be the EXACT way it's represented in the flow output.

$srcif = "Fd4/1/0";

$cidrtable{16} = 256; $cidrtable{17} = 128; $cidrtable{18} =  64;
$cidrtable{19} =  32; $cidrtable{20} =  16; $cidrtable{21} =   8;
$cidrtable{22} =   4; $cidrtable{23} =   2;

open(IN, "routes");
while (<IN>)
{
  $new = substr($_, 3, 100);
  if ($new =~ /\//)
  {
    # set cidr routes
    if ($new =~ /^(\d*)\.(\d*)\.(\d*)\.0\/(\d*)/)
    {
      for ($i = $3; $i < $3 + $cidrtable{$4}; $i++) { $ok{"$1.$2.$i"} = 1; }
    }
  }
  else
  {
    if ($new =~ /^(\d*)\.(\d*)\.(\d*)\.0/)
    { 
      # set an individual /24 unless it ends in ".0.0" - we should do better
      if ($3 != 0) { $ok{"$1.$2.$3"} = 1; }
      else { for ($i = 0 ; $i < 256 ; $i++) { $ok{"$1.$2.$i"} = 1; } }
    }
  }
}
close(IN);

open(IN, "flow");
while (<IN>)
{
  ($src, $srcip, $dst, $dstip) = split(' ', $_);

  if ($src eq $srcif && $dstip =~ /^(\d*)\.(\d*)\.(\d*)\.(\d*)$/)
  {
    if (!$ok{"$1.$2.$3"}) { print $_; }
  }
}