North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Tool for automatically educating smurf amplifiers ...
-----Original Message----- From: Doug McLaren <[email protected]> To: [email protected] <[email protected]> Date: Monday, July 06, 1998 3:06 PM Subject: Tool for automatically educating smurf amplifiers ... >Lately one of our machines has been the target of several smurf >attacks (no idea why, probably some user kicked off an IRCer from >their channel or something equally silly) and so I set out to email >each of the sites used as smurf amplifiers ... > >I couldn't find any sort of tool to do this for me, so I wrote one. > >It's certainly still needs some work, but I think it'll be useful in >it's current condition to anybody else who's tried to do this. > >If we can notify the smurf amplifiers that they're being abused and >let them know what they need to do to fix it, maybe we can make smurf >attacks a thing of the past (or at least less effective, as the >smurfers will have to look harder to find good amplifiers.) > >In any event, you can get my program at : > > http://www.frenzy.com/~dougmc/smurf-complain.pl > >There's lots of room for improvements, so if you have some changes, by >all means send them to me. > >It uses `ipw' to get contact information. If you don't have `ipw', >get it from : > > http://www.e-scrub.com/ipw > >Also, while you may wish to use `tcpdump' or look at your router's >logs to see where the ICMP echo reply packets were coming from, I was >using icmpinfo, which you can get from : > > http://hplyot.obspm.fr/~dl/icmpinfo.html > >So far, after running the program once and sending out about 50 >emails, I've gotten about 17 bounces and about 15 emails saying >they'll fix or have fixed their routers, and two or three emails >asking for details or a more clear explanation ... fairly promising. Not to toot my own horn but you might wanna try using a little proggy I wrote called SmurfLog, available at http://www.sy.net/security. It only records echo replies from unique /24's, preventing the few gig logfiles that you can get from icmpinfo.