Hi, I, as many of you have had to deal with various types of denial of service attacks or other attacks. A good number of these attacks can be characterized by one host sending to many destinations, many hosts on one subnet sending to one destination, one host sending to very similar or the same IP address (host/port scans) etc. Confronted with detecting this to warn my customers if they are victims, or admonish my customers if they are the culprits, I wrote a tool to give me some indication when this kind of thing is going on, while it is still happening using netflow data. I modified Ciscos' fdget program they make available on one of their ftp sites to look for self similar source or destination addresses in netflow data blocks. Thanks go to Cisco for leting me distribute this to the group. You can give it a try if you want. It is avaliable via anonymous ftp on venera.isi.edu in subdirectory mon. The file names you will need to know to retrieve by name are: smurfind.c C program README.smurfind documentation flowdata.h C program definitions (written by cisco folks) smurfind.rc sample data file You can't do an ls on the directory. I used version 5 netflow data to debug the code. I haven't tested it against version 1 or other versions. B.T.W. The program dumps legitimate data as suspect. If however the rate at which the program shows suspect data changes, that is when you need to look more closely. The output from the program is very valuable to confront the guilty party to demonstrate that something inapropriate is going on. Let me know what you think. Walt Prue Los Nettos