Sorry to pollute the list with yet another e-mail about Smurf Amp's, but at this very second, an IRC server that I run is being hammered from these networks. I tried registering them in SAR, got some of them in, but some wouldn't take, and entering all 132 nets manually is kind of cumbersome. *hint hint* I've also assumed they are all /24's (which the 141.161.x.x's are for sure). Anyway here they are. Andrew 0.0.0.0 10.0.4.0 127.0.0.0 129.71.1.0 134.24.34.0 141.161.11.0 141.161.12.0 141.161.180.0 141.161.19.0 141.161.196.0 141.161.2.0 141.161.20.0 141.161.21.0 141.161.54.0 141.161.97.0 141.164.236.0 141.164.240.0 141.164.241.0 141.164.242.0 141.164.243.0 141.198.64.0 142.154.4.0 142.165.3.0 146.188.232.0 161.27.9.0 168.198.52.0 168.216.11.0 168.216.12.0 168.216.13.0 168.216.14.0 168.216.15.0 168.216.9.0 169.130.14.0 172.20.1.0 172.20.2.0 172.20.4.0 172.20.5.0 172.20.50.0 172.31.0.0 192.102.232.0 192.106.1.0 192.168.102.0 192.168.104.0 192.168.250.0 192.206.159.0 192.231.112.0 192.234.72.0 192.40.28.0 192.89.254.0 193.190.196.0 193.76.0.0 193.76.109.0 193.76.81.0 194.211.170.0 194.215.130.0 194.215.133.0 194.244.59.0 198.163.232.0 198.26.182.0 198.3.200.0 198.53.245.0 198.60.120.0 198.68.156.0 199.104.254.0 200.135.13.0 200.23.51.0 200.230.140.0 200.230.142.0 200.230.143.0 200.38.168.0 200.5.128.0 200.5.129.0 202.184.18.0 202.184.25.0 203.150.240.0 204.115.171.0 204.17.178.0 204.208.152.0 204.208.153.0 204.228.161.0 204.229.43.0 204.229.45.0 204.233.137.0 204.242.172.0 204.244.32.0 204.249.16.0 204.26.101.0 204.26.102.0 204.26.103.0 204.26.104.0 204.26.109.0 204.31.135.0 204.64.22.0 204.64.23.0 204.65.223.0 204.70.146.0 204.70.164.0 204.71.242.0 204.96.225.0 205.150.226.0 205.163.217.0 205.172.3.0 205.184.109.0 205.211.168.0 205.218.18.0 205.232.11.0 205.232.119.0 205.232.8.0 206.110.105.0 206.110.253.0 206.110.98.0 206.204.42.0 206.251.0.0 206.251.5.0 206.251.7.0 206.29.111.0 206.34.91.0 207.112.247.0 207.124.139.0 207.34.202.0 207.65.122.0 207.68.0.0 207.99.6.0 208.128.161.0 208.128.185.0 208.133.118.0 208.145.80.0 208.149.198.0 208.192.84.0 209.125.164.0 209.2.160.0 209.22.240.0 209.48.31.0 209.49.144.0 209.49.157.0 209.84.61.0 24.129.20.0 255.255.255.0
On 17-Jun-98 Andrew Herdman wrote:
Sorry to pollute the list with yet another e-mail about Smurf Amp's, but at this very second, an IRC server that I run is being hammered from these networks. I tried registering them in SAR, got some of them in, but some wouldn't take, and entering all 132 nets manually is kind of cumbersome. *hint hint* I've also assumed they are all /24's (which the 141.161.x.x's are for sure). Anyway here they are.
The entries for 208.128.161.0 and 208.128.185.0 have been fixed. Those are 2 of our dialup class -Cs that were being used as amplifiers. We have implemented no-directed broadcast on our router equipment at this time. Please let me know if you continue to see activity from those blocks. Morgan
Andrew
0.0.0.0 10.0.4.0 127.0.0.0 129.71.1.0 134.24.34.0 141.161.11.0 141.161.12.0 141.161.180.0 141.161.19.0 141.161.196.0 141.161.2.0 141.161.20.0 141.161.21.0 141.161.54.0 141.161.97.0 141.164.236.0 141.164.240.0 141.164.241.0 141.164.242.0 141.164.243.0 141.198.64.0 142.154.4.0 142.165.3.0 146.188.232.0 161.27.9.0 168.198.52.0 168.216.11.0 168.216.12.0 168.216.13.0 168.216.14.0 168.216.15.0 168.216.9.0 169.130.14.0 172.20.1.0 172.20.2.0 172.20.4.0 172.20.5.0 172.20.50.0 172.31.0.0 192.102.232.0 192.106.1.0 192.168.102.0 192.168.104.0 192.168.250.0 192.206.159.0 192.231.112.0 192.234.72.0 192.40.28.0 192.89.254.0 193.190.196.0 193.76.0.0 193.76.109.0 193.76.81.0 194.211.170.0 194.215.130.0 194.215.133.0 194.244.59.0 198.163.232.0 198.26.182.0 198.3.200.0 198.53.245.0 198.60.120.0 198.68.156.0 199.104.254.0 200.135.13.0 200.23.51.0 200.230.140.0 200.230.142.0 200.230.143.0 200.38.168.0 200.5.128.0 200.5.129.0 202.184.18.0 202.184.25.0 203.150.240.0 204.115.171.0 204.17.178.0 204.208.152.0 204.208.153.0 204.228.161.0 204.229.43.0 204.229.45.0 204.233.137.0 204.242.172.0 204.244.32.0 204.249.16.0 204.26.101.0 204.26.102.0 204.26.103.0 204.26.104.0 204.26.109.0 204.31.135.0 204.64.22.0 204.64.23.0 204.65.223.0 204.70.146.0 204.70.164.0 204.71.242.0 204.96.225.0 205.150.226.0 205.163.217.0 205.172.3.0 205.184.109.0 205.211.168.0 205.218.18.0 205.232.11.0 205.232.119.0 205.232.8.0 206.110.105.0 206.110.253.0 206.110.98.0 206.204.42.0 206.251.0.0 206.251.5.0 206.251.7.0 206.29.111.0 206.34.91.0 207.112.247.0 207.124.139.0 207.34.202.0 207.65.122.0 207.68.0.0 207.99.6.0 208.128.161.0 208.128.185.0 208.133.118.0 208.145.80.0 208.149.198.0 208.192.84.0 209.125.164.0 209.2.160.0 209.22.240.0 209.48.31.0 209.49.144.0 209.49.157.0 209.84.61.0 24.129.20.0 255.255.255.0
----------------------------------------- Morgan Sarges Voice Phone: 605-338-8334 blip@morgan.iw.net Fax: 605-335-3942 System Administrator Dakota Telecommunications Group Network Operations Center LSD melts in your mind, not in your hand. PGP Public Key block available upon request. ------------------------------------------
On Wed, 17 Jun 1998, Andrew Herdman wrote:
Sorry to pollute the list with yet another e-mail about Smurf Amp's, but at this very second, an IRC server that I run is being hammered from these networks. I tried registering them in SAR, got some of them in, but some wouldn't take, and entering all 132 nets manually is kind of cumbersome. *hint hint* I've also assumed they
So why are you registering them with SAR manually? Here are some scripts I wrote for my own use...but maybe others will benefit from them. First one, I call smurfstat. It expects a list of IP addresses on stdin. I use it by piping tcpdump output through a little command-line awk that reduces each line to just the source IP. It generates output like what I posted a few days ago. #!/usr/bin/perl use Getopt::Std; getopts('nh'); while (<STDIN>) { chomp; $addr = $_; (@net_parts) = split /\./, $addr; $net = join('.',$net_parts[0],$net_parts[1],$net_parts[2]); $nets{$net}++ unless ($addrs{$addr}++); } unless ($opt_n){ print "\nNetworks\n"; foreach (sort {$nets{$b} <=> $nets{$a}} keys(%nets)) { printf("%-12s %d\n","$_:", $nets{$_}); } } unless ($opt_h){ print "\n---\nHosts\n"; foreach (sort {$addrs{$b} <=> $addrs{$a}} keys(%addrs)) { printf("%-16s %d\n","$_:", $addrs{$_}); } } Next...because registering hundreds of networks by hand would be annoying and time consuming, we have smurfreg. You can pipe the output of smurfstat right into smurfreg. It will ignore some of the common invalid addresses found in analyzing smurfs like 0/8, 255.255.255/24, 10/8, 192.168/16. I didn't bother trying to come up with an expression for 172.16/12. #!/usr/bin/perl while (<STDIN>) { ($net,$junk)=split /:/,$_,2; if (($net=~/\d+\.\d+.\d+/) && !($net=~/^(0\.)|(10\.)|(192\.168)|(255\.255\.255)/)){ system("lynx -dump http://www.powertech.no/smurf/probe.cgi?network=$net"); } elsif ($net=~/---/) { die "\ndone.\n"; } } What does it mean when the SAR says "No entry found for that network."? Many of the nets I'm in the process of registering result in that, even though they still have multiple hosts responding and are in the whois databases. ------------------------------------------------------------------ Jon Lewis <jlewis@fdt.net> | Spammers will be winnuked or Network Administrator | drawn and quartered...whichever Florida Digital Turnpike | is more convenient. ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
On Wed, 17 Jun 1998, Jon Lewis wrote:
system("lynx -dump http://www.powertech.no/smurf/probe.cgi?network=$net");
What does it mean when the SAR says "No entry found for that network."? Many of the nets I'm in the process of registering result in that, even though they still have multiple hosts responding and are in the whois databases.
You need to push the "probe=" parameter to the cgi as well. What you are doing above is merely looking up already-registered networks in the SAR database. Again, you are NOT probing the networks through the SAR by running the above lynx command! To do what you want, you must use URLs of this form: http://www.powertech.no/smurf/probe.cgi?network=1.2.3.4&probe=PROBE ^^^^^^^^^^^^ Be careful with "&" in sh, and remember that probe= thing. Oystein Homelien | oystein@powertech.no PowerTech Information Systems AS | http://www.powertech.no/ Nedre Slottsgate 5, N-0157 OSLO | tel: +47-23-010-010, fax: +47-2220-0333
On Thu, 18 Jun 1998, Oystein Homelien wrote:
You need to push the "probe=" parameter to the cgi as well. What you are doing above is merely looking up already-registered networks in the SAR database. Again, you are NOT probing the networks through the SAR by running the above lynx command!
To do what you want, you must use URLs of this form:
http://www.powertech.no/smurf/probe.cgi?network=1.2.3.4&probe=PROBE
ack! I somehow missed that when pasting the URL from Netscape into my editor. Here's an updated version. Chris Bongaarts <cab@tc.umn.edu> sent the 172.16/12 regex I was too lazy to include before. #!/usr/bin/perl while (<STDIN>) { ($net,$junk)=split /:/,$_,2; if (($net=~/\d+\.\d+.\d+/) && !($net=~/^(0\.)|(10\.)|(192\.168)|(172\.((1[6-9])|(2[0-9])|(3[01]))\.)|(255\.255\.255)/)){ system("lynx -dump 'http://www.powertech.no/smurf/probe.cgi?network=$net&probe=PROBE'"); } elsif ($net=~/---/) { die "\ndone.\n"; } } I'm using this to make sure all the nets I recently posted about are registered. Based on the times reported by SAR, I think I'll be adding a bunch of new nets to it. ------------------------------------------------------------------ Jon Lewis <jlewis@fdt.net> | Spammers will be winnuked or Network Administrator | drawn and quartered...whichever Florida Digital Turnpike | is more convenient. ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
participants (4)
-
Andrew Herdman
-
Jon Lewis
-
Morgan Sarges
-
Oystein Homelien