Re: Smurf amp notification script?
| > Does anyone have a script that takes a list of IP addresses, looks | > them up in whois, and mails the contact for them and tells them | > they're a smurf amp (with appropriate pointers to self-help files, | > etc)? | > | > If it can read sorted output from Cisco "sh ip cache flow", that'd be | > a bonus. | | No, but we'd be interested in this if you come across one. Ronald Guilmette's | ipw (www.e-scrub.com/ipw/) is the closest I've seen, and it's unreliable at | best. The enclosed hack worked last time I tried it (but no garuntees). Change occurances of OpNet/op.net to your own name. --jeff #!/usr/local/bin/perl while( <> ){ chop; $net = $_; $email = lookup($net); while( !$email ){ sleep 5; $email = lookup($net); } print "$net <$email>\n"; email( $net, $email ) if $email; sleep 2; } exit; sub lookup { my($net) = @_; my($email, $coord, $netblock); open(W, "whois -h whois.arin.net $net |"); $email = ''; $netblock = ''; $coord = 0; while( <W> ){ chop; if( $coord ){ $coord = 0; ($email) = /.*\)\s*(.*)/; last; } $coord = 1 if /Coordinator/; if( /NETBLK-/ ){ $netblock = $_; $netblock =~ s/.*\(//; $netblock =~ s/\).*//; } } return $email if $email; return lookup( $netblock ) if $netblock; ''; } sub email { my($net, $email) = @_; open(E, "|sendmail -t"); if( $email =~ /NOWHERE/ ){ print "**** NOWHERE ****\n"; return; } print E <<EOF To: $email From: OpNet NOC <noc\@YOURDOMAIN.net> Reply-To: OpNet NOC <noc\@YOURDOMAIN.net> Subject: Denial of Service attacks launched through your machines. Netblock: $net Your machines were being used to mount a denial of service attack against one of our machines. This not only uses up our bandwidth but yours. The exact type of attack is typically called a `smurf' attack : A "smurf attack" is a denial-of-service attack which is launched from a network, frequently a dial-up connection, with the intention of burying the victim's network access with packets beyond their ability to carry the traffic load presented. This is accomplished by sending a forged ICMP packet to a smurf amplifier destination, on the broadcast address, bearing the source address of the victim's computer. The smurf amplifier network dutifully responds from all network hosts on that segment, amplifying the transmitted packet by up to 200-fold. These packets are then returned to the victim's computer, swamping its connection and rendering it useless. It is possible to completely destroy host connectivity even on ethernet-speed connections (6x a T1) with just a modem connection to the Internet using this technique. A T1 customer using this technique can bury an OC3 (155mbps) circuit, assuming sufficient amplifier bandwidth can be found. { from http://www.mcs.net/smurf } Some simple changes to your router configurations can keep your machines from being used as smurf amplifiers. More information on smurfs, including what to do about them, can be found at : http://www.quadrunner.com/~chuegen/smurf.txt and http://www.mcs.net/smurf You're receiving this email because you're listed with an IP registry as being the maintainer of one of the networks where I'm seeing ICMP echo requests coming from. I'd greatly appreciate it if you could fix your routers so your networks cannot be abused in this manner. Thanks. -- OpNet Network Operations Staff EOF ; close E; }
On Thu, 11 Mar 1999, Jeff Weisberg wrote:
| > Does anyone have a script that takes a list of IP addresses, looks | > them up in whois, and mails the contact for them and tells them | > they're a smurf amp (with appropriate pointers to self-help files, | > etc)? The enclosed hack worked last time I tried it (but no garuntees). Change occurances of OpNet/op.net to your own name. #!/usr/local/bin/perl [snip] open(W, "whois -h whois.arin.net $net |");
Ok, that does fine for machines whose authoritive whois record is within the ARIN whois database, but what about the other two thirds of the globe, namely RIPE (Europe) and APNIC (Asia-Pacific) ? Congratulations, you've just emailed either 'nicdb@ripe.net' or 'sysadm@apnic.net' blaming one of the IP registries for running (in this case) a smurf amplifier. Please, go and track down the ipw script, its better than nothing as it does have some knowledge of which whois server to query. That way, you won't get the ever-so-nicely worded response which basically says 'Ahem. Go query our whois server for the *correct* information.'. --==-- Bruce.
participants (2)
-
Bruce Campbell
-
Jeff Weisberg