North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SMURF Detector Software

  • From: Mark Fullmer
  • Date: Wed Feb 10 02:14:30 1999

On Thu, Jan 28, 1999 at 11:28:18AM -0800, [email protected] wrote:

> I, as many of you have had to deal with various types of denial of service
> attacks or other attacks.  A good number of these attacks can be characterized
> by one host sending to many destinations, many hosts on one subnet sending
> to one destination, one host sending to very similar or the same IP address 
> (host/port scans) etc.

I wrote something like this a few weeks ago, it's included in a package
we've been using at OSU for the past few years.  We get scanned in some
form or another about ten times a day :(


  match src ip with dst ip and portlist < 1024.  Tries to locate
  host and port scans.  Includes an ager so it can be run continually
  without eating up an infinite amount of memory.  A suppress list
  can also be specified with a src ip, and optional protocol srcport
  and dstport.  By disabling the ager and setting the dump state option
  this can be used to create a srcIP to dstIP/portmap<1024 table.


  locate port and host scans in rf, but ignore TCP replies from a busy MS
  web server.  Don't run in the background.
  echo " 6 80 -" > dscan.suppress
  flow-dscan < -b rf 

  same, but dump the internal state on exit to "statefile"
  flow-dscan -b -s statefile -p < rf

  Connect to flow-capture to process real time flows.  Runs in the
  background, logs to syslog LOG_LOCAL6
  nc 9991 | flow-dscan -w

  The statefile is just the internal hash table.  It's a mapping of
  srcIP to dstIP's and ports < 1024.

  type=hash bucket depth flags srcIP
  H 0 1 0
  type=include nflows dstIP
  I  10777445
  type=hash bucket depth flags srcIP
  H 0 5 0
  type=include nflows dstIP
  I  4635135
  type=include nflows dstIP
  I  19387662
  type=port nports portnum
  P 1 53

  -l can be used to load this statefile before processing the flows,
  use for interrupted operation.

  when running live, SIGHUP will reload the suppress list, and SIGUSR1
  will dump state.

  The ager runs every 1000 flows.  It runs down a subset of the hash
  table each run, removing records that were created 90,000 flows prior
  to the current.  Modify the ager timeout with -t

  The host scanner works by counting the length of the destination IP
  hash chain.  If it goes above 64, then the src is considered to
  be scanning.  Modify depth trigger with -D.

  The port scanner works by keeping a bitmap of the destination port
  number < 1024 per destination IP.  If it goes above 64, the src is
  considered to be port scanning the destination.  Modify port trigger
  with -P.

  When a src has been flagged as scanning it will not be reported again
  until the record is aged out and enough flows trigger it again.

  Remove the -b flag and it will run in the background and log via syslog

  Use the built in interface filters to limit detection to inbound or
  outbound scans on a border router.  For example if interface 1 is
  the outside (Internet) interface and 2 and 3 are the inside (Campus)

  detect only inbound scans
  flow-dscan -i1 -I2,3

  If you can't figure out the interface numbers, try using flow-print

  -w is a built in web filter.  Use of this could possibly hide real

  -m is a built in multicast address filter

  -O,-P,-T can trigger a messages based on excessive octets, packets, or
  flow duration.  This can be used to detect denial of service attacks.

  -h lists the other options.