SmurfLog 1.0

From: Bug Lord (buglordat_private)
Date: Fri Jul 03 1998 - 00:21:02 PDT

Next message: Chris Adams: "Re: SECURITY: redhat, the saga continues.."

Previous message: Ryan Nichols: "Windows95 Proxy DoS Vulnerabilites"
Next in thread: Solar Designer: "Re: SmurfLog 1.0"
Reply: Solar Designer: "Re: SmurfLog 1.0"
Reply: Bug Lord: "Re: SmurfLog 1.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mimeat_private for more info.

--0-1654306615-899450462=:503
Content-Type: TEXT/PLAIN; charset=US-ASCII

>From the README:

Program
-------
  SmurfLog 1.0 by Bug Lord. A program to assist logging of smurf attacks.


Purpose
-------
  This program is designed to log smurf attacks and the broadcasts used.
  Essentially it is just an icmp echo reply logger with the following twists:
   - Logging only begins after passing a certain threshold rate of packets/sec
     and kilobytes/sec. This prevents the logging of innocent ping replies.
   - Only the /24 is logged, and it is only logged once per attack.

  Before this program, if you wanted to log the smurf broadcasts used during
  an attack, you had to either get to the machine attacked and start an icmp
  logger, or run one continuously and have lots of drive space available.

  During an average strength smurf attack the log files can reach sizes of
  800mb or more in 10-15 minutes. You must then go through the hassle of
  greping, awking, sorting, and uniqing the logs to get the appropriate
  /24 to mail. Not exactly a pleasant task, and not everyone can get to the
  machine in time or leave a icmp logger running and pray that nobody decides
  to DoS them with random source pings or such.

  SmurfLog solves this problem by providing a simple, low-cpu usage system
  that records only unique /24's. It can safely be left running on any system
  and will (should) record only broadcasts used during a legitimate smurf
  attack.

  Of course you are required to use a little common sense. If you ping out
  while under attack and successfully receive a reply it will be included
  with the other ips, and of course don't be surprised if you end up with
  things like 10.0.0.0 0.0.0.0 255.255.255.255 etc, but you knew that already.

Platforms
---------
  Fully tested on Linux (libc5 and libc6), compiles on FreeBSD, OpenBSD,
  and Solaris. Thanks to all those who donated accounts.

How to use
----------
  Edit config.h, compile:

  Linux: gcc -O2 -o smurflog smurflog.c
  BSD: gcc -O2 -o smurflog smurflog.c
  Solaris: cc -o smurflog smurflog.c -lnsl -lsocket

  By default everything goes to stdout, so you'll most likely want to redirect
  that to a log file and background it.


Thanks to
---------
  Thanks to moogle and Temp for their assistance, and habit for the spell
  check as usual.

Contact
-------
  IRC: Bug_Lord (EFnet)
  EMAIL: buglordat_private


Latest Version
--------------
  The latest version of SmurfLog can be found at http://www.sy.net/security


Shameless Plug
--------------
  Visit http://shell.sy.net for the most affordable, reliable, stable, and
  secure shells available to mere mortals.

--0-1654306615-899450462=:503
Content-Type: APPLICATION/octet-stream; name="smurflog-1.0.tar.gz"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.3.96.980703032102.503Dat_private>
Content-Description: SmurfLog 1.0

H4sIALyFnDUAA+1Z/1MbNxbPr/iveKUTsgZjbALkBkqmCXEuTElgcK43vbbj
kXdlW8fuaitp7fha/vf7PO167TUk6c1k2rkpamPLT9LT+/5F9JPcjC70eLfb
7uxd9168ett79KVHt9M5OjigR8Sjs/ZNdNjpPCU6Ojx41u3sHz47Iurud466
j6jzxSm5Z+TWCUP0yGjtPrXvc+v/p+PK6LERSWO3GA2ifmkRBIug4Zxe5mO6
0CZq0wvKit3kNAlrlXUU6/FYpWPSI7J8kIRzIryx7UajcZWbTFu5gvv9RNkK
CaaRtGqcyogRAlMdBYkUCxNJQ6NFFArrLOVWRm0g6lkrU6dEHM9JOUb1bygS
J0iFSUYynGgyMsMqEygNzZSbeGQjHcd6xiS7GRiwx8BGu+Cw5CPFmaHEHPeP
HE5mzClWBIXSOKFSoDHSTnQckRFOMusZ6JXO7lkZNrxNM+k3KtbDuZMe3F7w
Lqcg3HpSVmSn0lSHWKCMAUy5krZdkHbJJPH+vf0D5tRzFLX8HQXvnugCjHko
KQPdhRShB6KXcqSNBI6l9FukRjTXOc1E6pYK4GsKJawJnaLcgLQGs1aibvnz
E+EPS8gXl46l41+MJhHhRKWy3AwMTC87W6UmICu00yJtyOQpiJcUaig2zXVu
wRSfmYgpywqEQFCRUfhlIXBgngoVi2EsPZOvPIGevKk0Yoxdzsh0DL2vmtVC
8jRSsbQUYr+RIJWs+o/kK4Dqb51OMmSaEhYbNN7t7HYPKQFZUGebfgDfCdsb
cKU0Zn6NzseFgU1gL7EsEI2hSRAFXc1u/LfVxhUAMJan6hdviAVFliXnBYjf
IoOiMqNgYMDDmsdiAn7b9E47kh9E6Fg+lMVSWOiQnLA3Bd6UN0AGcy9OMLjU
CnAt9MKGrBLJbAIFhCoK3ykdBupIC3lGsBnBFigcUA91NIffhgq+C2xA+0r3
GXVS+JjBAZ2A0dywIQKF5StsHk68mqrwYnU8lbYySqgx4XCD6VRFhcNZlYC9
Fkia7YZZDkP0ap1bJxO+mykyMkRwKn2AJZp7R3kCNZ07z70VI+mdGnyOXMWY
hqGk8yU2ZnSm4pgC+HYeR80SdRkS7nUH0BgjVkCOHAi8mTGmpeddjmDPubHS
+4qANRn5S65M4XHAxBiUczHbfZKAJsQ1K0F74Z0+HOjcAdVsAoMFh1Hl24VH
5WEorR3lHApBsVRelUXwQ3jwLA1Z3WGcRzJiTItYqL3PqswWdqMrYiOdPnF8
yiKEG8UMl+FCst1mHoXXgNdvrG4kfKTt/6PF9/7hYXvlH0kXtmiYO4/nJpWz
QoEihv9Fc4jrKhYOgSqxi4zhc8Zrzxn8zvnoRhfwwg8UxGoYHnqyeXbUbLEA
M+/T2PTaSPmy/6pFl5lMeVIquK9jAX44Gov0xnsccggIQZ6ChDVzLvgiEUIU
CNQg642elcpa0sWE9SKIF9FqpMbtSXX9Mavd03hM4zCk3ct92tWFbVQpDpM2
ZwpQ9jt2lUQfE2+8dxPtxqmN8Wk1JyIf89lLRyKPy1jgVYVYJT3T1kWwKo5H
rI0nEEGiOZtDkRD2zMcTzqARTDV0C19jaVWx08tzCDMcI/b5VMQ5v5JrTYdL
aSdaj8uz7yWiDfTNpqhMWVAIpK9WGfaHkG+5jogv4xiYwolkw2cvzEWMG8+Q
LhALV4qM8+uzY65aBly1UNB7nUrXZH29fXF+cQwLHMdY+NbO2ymLqnEh2Ljo
e2ms0umKjiviETmKPdNiD3tKFcc4xAy5rmAhQEgT57Ljvb3ZbNYuruD0j2jh
5rirPxGJhI1auorz8d27vldWVSjsBDyXSCpBeD2JEX5GnPpaUFKsihmk578h
PaDyt0JwjMQuc6VXgjSMCNVMDAP/s0vQh/Enjv5q/7cIZl/4js/0f3SA6ob7
v6Nnz46ednz/d9TtPPR/f8TY26a+LzmVXRTui6ZmpYkq+5ta8VKU8oseZnuv
AVRZZrkfWWmHkPFRZfiFLboZ4ssXzgiYSVGU+l5rDY3fBzy1DsqXtR6inK0K
JJ+qFlBf6Ao6UzbUdNpkbF8jCXK1+/7Nda//5vLi1eDqqr8Bi7xn5buXWDrs
/KUCYs3/lwXFF73jM/5/dPT0WfX+c8BvQd2n+52jB///I8bXZV9A36AkVLo9
ed6ogVBc12FosQCuw0Zh6uK1o2qcijWYNCZdu4E70DqEK87UrSGb271MGJHc
Bbt5ho78LvgOXoYW1fFd+Eyoe6BKh3e4YiROrG1Geaa4zlPpx+AD7jKTj6xm
H4MPuB+vLwqTiT1evnMmWtNTyJKpgTYX6X2zwUH2HH0mAjja+Ez6kI+mEhU5
oiiK2IyLw6FCazqnCVeLHErVCCGTBoOYu5vBgAFpAfn7xfnLM4aUMZUJHzAB
G/yxAG+obAP/JpFZQrBxw3/WoNkglunGhtOOJ42vZYz2DDSPuddbDetWRJHh
/daEbTvgX9idRuhWa9sXCDzpvx9Btb2BsAix+MR0yh3uSSNPy7fLWCNxKX67
KxZblOYJT1b22AkE6jf5GJto6KO+o8KyPfTPDCcN+cFJk3qY95yTRoPnYyOG
g8KSg6lWUfPEg7n9DKBh7lIApW3uSJe/sKthnclDUJFlN45+5cfFCoL/T1YB
/BDEHyeNW8Luj13dWMWSGe00v2Fu+5nH5zk+afjpiIKvAr8E1pGp/XQ4T9ER
BZt82Waz2SzowhhlBodHAYINuG/R5iI5HVOe3qR6lhYXhjr2lLZ/SjebJ+Vh
+UG5YL/4eVvdHrB6SvJfvB6cv+u9b1H/8uy7wfWLf7YKdLvPs4GfgJRvqLOk
xyPweqDTU+pd9a7fNum332gF9uLsrNdvNhuLuvZTPPgqiJ880cpyaqlRD2Nd
IoF3Gm2ClbMlC81P8Wuly1UUjIuvZrEE4LgAjksgQw32wM6gptvG/aYk6rY0
LPVeHtwOvNk2Be1W82GFLBEq9UBhxqgGwwmy7Tbm0x9/LtGUNsLyigaWW93I
rhojx/KpiMlNob5fUTjc+lUGD0BsbjhhFI4Xw3MKv8KGyrWKO+FzpZHf9Tle
8DeyZa4YeSmh4ukt6NatofLkJZjJmrbddMD16ikdnizhr18N/tW7vgy2wF2z
Du/33ge2Resr3mGsjGXoArvTbfF6690/Li6Kjy03bdZuZvrrwWV1icUVbJXS
atbXSjPdfNzuHlp6p71g+GUwLZ/OGSU7WCuso9k5WMM0GsW5nQTF89LaWhUV
K8htY/FdTowMpyyKoAxaW4g9Lf8yr0cB5s0WXPKksaIEANve/auUw654fvb2
atA7e3N53bu6+KEmpY9rDsPbCIgM1mzHE9JGpvbp4uTumR+f/oxjT37qPKkv
emz1s/V1UDO0UphwEmypDN2SD/4+hVSMlxmhfOJsMoNsAevEryjyyuihf+zp
r/7lI5IOtgSmRkYn9NjyXxWCxxH5FqvJ6m1sIBmjmBikTotgGxGzzAepz4ws
iEBlCNN+JzZNbFByV+Ts5prOP2MSpQSCgkGIykgRxzosAS1IYafb/BTHtAyQ
iT+6efcKKgPkurHS0gKrUVz8I1+8wyotQ8bq+IX/iLNCYWtdTV5L9WMr99z6
+L7GCUqHnZ36EV9r7JzSfVKmPeJeqf0ZH79jaotguVtEyuen1OUctgB/48H3
2VVR2dwRxWo9VGO34NE7KHbgnlr/TVvlW0BtgdtvXvnqo+5J9QjXvUNPPZC9
X/6dlv/Cx38zfYwfEOWepceQ3v7Ik9GiXopSi98fPhfuWmCnxWf+Nzu/raui
TFMl2nsDov+4/Us9RTyMh/EwHsbD+APHfwEtDP0DACgAAA==
--0-1654306615-899450462=:503--

Next message: Chris Adams: "Re: SECURITY: redhat, the saga continues.."
Previous message: Ryan Nichols: "Windows95 Proxy DoS Vulnerabilites"
Next in thread: Solar Designer: "Re: SmurfLog 1.0"
Reply: Solar Designer: "Re: SmurfLog 1.0"
Reply: Bug Lord: "Re: SmurfLog 1.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:02:00 PDT