North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

SMURF Detector Software

  • From: prue
  • Date: Thu Jan 28 14:49:21 1999
  • Posted-date: Thu, 28 Jan 1999 11:28:18 -0800

Hi,

I, as many of you have had to deal with various types of denial of service
attacks or other attacks.  A good number of these attacks can be characterized
by one host sending to many destinations, many hosts on one subnet sending
to one destination, one host sending to very similar or the same IP address 
(host/port scans) etc.

Confronted with detecting this to warn my customers if they are victims, or
admonish my customers if they are the culprits, I wrote a tool
to give me some indication when this kind of thing is going on, while it
is still happening using netflow data.

I modified Ciscos' fdget program they make available on one of their
ftp sites to look for self similar source or destination addresses in
netflow data blocks.  Thanks go to Cisco for leting me distribute this
to the group.

You can give it a try if you want.  It is avaliable via anonymous ftp on
venera.isi.edu in subdirectory mon.  The file names you will need to 
know to retrieve by name are:

smurfind.c                   C program
README.smurfind              documentation
flowdata.h                   C program definitions (written by cisco folks)
smurfind.rc                  sample data file


You can't do an ls on the directory.  I used version 5 netflow data to debug
the code.  I haven't tested it against version 1 or other versions.

B.T.W.  The program dumps legitimate data as suspect.  If however the rate at
which the program shows suspect data changes, that is when you need to 
look more closely.

The output from the program is very valuable to confront the guilty party 
to demonstrate that something inapropriate is going on.  

Let me know what you think.

Walt Prue
Los Nettos