Everhart, Glenn From: Bug Lord [buglord@SY.NET] Sent: Friday, July 03, 1998 3:21 AM To: BUGTRAQ@NETSPACE.ORG Subject: SmurfLog 1.0 From the README: Program ------- SmurfLog 1.0 by Bug Lord. A program to assist logging of smurf attacks. Purpose ------- This program is designed to log smurf attacks and the broadcasts used. Essentially it is just an icmp echo reply logger with the following twists: - Logging only begins after passing a certain threshold rate of packets/sec and kilobytes/sec. This prevents the logging of innocent ping replies. - Only the /24 is logged, and it is only logged once per attack. Before this program, if you wanted to log the smurf broadcasts used during an attack, you had to either get to the machine attacked and start an icmp logger, or run one continuously and have lots of drive space available. During an average strength smurf attack the log files can reach sizes of 800mb or more in 10-15 minutes. You must then go through the hassle of greping, awking, sorting, and uniqing the logs to get the appropriate /24 to mail. Not exactly a pleasant task, and not everyone can get to the machine in time or leave a icmp logger running and pray that nobody decides to DoS them with random source pings or such. SmurfLog solves this problem by providing a simple, low-cpu usage system that records only unique /24's. It can safely be left running on any system and will (should) record only broadcasts used during a legitimate smurf attack. Of course you are required to use a little common sense. If you ping out while under attack and successfully receive a reply it will be included with the other ips, and of course don't be surprised if you end up with things like 10.0.0.0 0.0.0.0 255.255.255.255 etc, but you knew that already. Platforms --------- Fully tested on Linux (libc5 and libc6), compiles on FreeBSD, OpenBSD, and Solaris. Thanks to all those who donated accounts. How to use ---------- Edit config.h, compile: Linux: gcc -O2 -o smurflog smurflog.c BSD: gcc -O2 -o smurflog smurflog.c Solaris: cc -o smurflog smurflog.c -lnsl -lsocket By default everything goes to stdout, so you'll most likely want to redirect that to a log file and background it. Thanks to --------- Thanks to moogle and Temp for their assistance, and habit for the spell check as usual. Contact ------- IRC: Bug_Lord (EFnet) EMAIL: buglord@sy.net Latest Version -------------- The latest version of SmurfLog can be found at http://www.sy.net/security Shameless Plug -------------- Visit http://shell.sy.net for the most affordable, reliable, stable, and secure shells available to mere mortals.