North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Smurf amp notification script?

  • From: Jeff Weisberg
  • Date: Thu Mar 11 17:22:21 1999

| > Does anyone have a script that takes a list of IP addresses, looks
| > them up in whois, and mails the contact for them and tells them
| > they're a smurf amp (with appropriate pointers to self-help files,
| > etc)?
| > 
| > If it can read sorted output from Cisco "sh ip cache flow", that'd be
| > a bonus.
| 
| No, but we'd be interested in this if you come across one.  Ronald Guilmette's
| ipw (www.e-scrub.com/ipw/) is the closest I've seen, and it's unreliable at
| best.


The enclosed hack worked last time I tried it (but no garuntees).
Change occurances of OpNet/op.net to your own name.


	--jeff



#!/usr/local/bin/perl

while( <> ){
    chop;
    $net = $_;
    
    $email = lookup($net);
    while( !$email ){
	sleep 5;
	$email = lookup($net);
    }

    print "$net <$email>\n";
    email( $net, $email ) if $email;
    sleep 2;
}
exit;


sub lookup {
    my($net) = @_;
    my($email, $coord, $netblock);
    
    open(W, "whois -h whois.arin.net $net |");

    $email = '';
    $netblock = '';
    $coord = 0;
    while( <W> ){
	chop;
	
	if( $coord ){
	    $coord = 0;
	    ($email) = /.*\)\s*(.*)/;
	    last;
	}
	$coord = 1 if /Coordinator/;

	if( /NETBLK-/ ){
	    $netblock = $_;
	    $netblock =~ s/.*\(//;
	    $netblock =~ s/\).*//;
	}
    }

    return $email if $email;

    return lookup( $netblock ) if $netblock;

    '';
}

sub email {
    my($net, $email) = @_;

    open(E, "|sendmail -t");
    
    if( $email =~ /NOWHERE/ ){
	print "**** NOWHERE ****\n";
	return;
    }
    
    print E <<EOF
To: $email
From: OpNet NOC <noc\@YOURDOMAIN.net>
Reply-To: OpNet NOC <noc\@YOURDOMAIN.net>
Subject: Denial of Service attacks launched through your machines.

Netblock: $net

Your machines were being used to mount a denial of service attack
against one of our machines.  This not only uses up our bandwidth but
yours.  The exact type of attack is typically called a `smurf' attack :

   A "smurf attack" is a denial-of-service attack which is launched from
   a network, frequently a dial-up connection, with the intention of
   burying the victim's network access with packets beyond their ability
   to carry the traffic load presented.  This is accomplished by sending
   a forged ICMP packet to a smurf amplifier destination, on the
   broadcast address, bearing the source address of the victim's
   computer. The smurf amplifier network dutifully responds from all
   network hosts on that segment, amplifying the transmitted packet by up
   to 200-fold. These packets are then returned to the victim's computer,
   swamping its connection and rendering it useless. It is possible to
   completely destroy host connectivity even on ethernet-speed
   connections (6x a T1) with just a modem connection to the Internet
   using this technique. A T1 customer using this technique can bury an
   OC3 (155mbps) circuit, assuming sufficient amplifier bandwidth can be
   found.   { from http://www.mcs.net/smurf }

Some simple changes to your router configurations can keep your
machines from being used as smurf amplifiers.

More information on smurfs, including what to do about them, can be
found at :

   http://www.quadrunner.com/~chuegen/smurf.txt

and

   http://www.mcs.net/smurf

You're receiving this email because you're listed with an IP registry
as being the maintainer of one of the networks where I'm seeing ICMP
echo requests coming from.


I'd greatly appreciate it if you could fix your routers so your
networks cannot be abused in this manner.

Thanks.

	-- OpNet Network Operations Staff

EOF
    ;

    close E;
}