nanog mailing list archives
Re: Smurf Amp Nets
From: Jon Lewis <jlewis () inorganic5 fdt net>
Date: Wed, 17 Jun 1998 18:39:56 -0400 (EDT)
On Wed, 17 Jun 1998, Andrew Herdman wrote:
Sorry to pollute the list with yet another e-mail about Smurf Amp's, but at this very second, an IRC server that I run is being hammered from these networks. I tried registering them in SAR, got some of them in, but some wouldn't take, and entering all 132 nets manually is kind of cumbersome. *hint hint* I've also assumed they
So why are you registering them with SAR manually? Here are some scripts I wrote for my own use...but maybe others will benefit from them. First one, I call smurfstat. It expects a list of IP addresses on stdin. I use it by piping tcpdump output through a little command-line awk that reduces each line to just the source IP. It generates output like what I posted a few days ago. #!/usr/bin/perl use Getopt::Std; getopts('nh'); while (<STDIN>) { chomp; $addr = $_; (@net_parts) = split /\./, $addr; $net = join('.',$net_parts[0],$net_parts[1],$net_parts[2]); $nets{$net}++ unless ($addrs{$addr}++); } unless ($opt_n){ print "\nNetworks\n"; foreach (sort {$nets{$b} <=> $nets{$a}} keys(%nets)) { printf("%-12s %d\n","$_:", $nets{$_}); } } unless ($opt_h){ print "\n---\nHosts\n"; foreach (sort {$addrs{$b} <=> $addrs{$a}} keys(%addrs)) { printf("%-16s %d\n","$_:", $addrs{$_}); } } Next...because registering hundreds of networks by hand would be annoying and time consuming, we have smurfreg. You can pipe the output of smurfstat right into smurfreg. It will ignore some of the common invalid addresses found in analyzing smurfs like 0/8, 255.255.255/24, 10/8, 192.168/16. I didn't bother trying to come up with an expression for 172.16/12. #!/usr/bin/perl while (<STDIN>) { ($net,$junk)=split /:/,$_,2; if (($net=~/\d+\.\d+.\d+/) && !($net=~/^(0\.)|(10\.)|(192\.168)|(255\.255\.255)/)){ system("lynx -dump http://www.powertech.no/smurf/probe.cgi?network=$net"); } elsif ($net=~/---/) { die "\ndone.\n"; } } What does it mean when the SAR says "No entry found for that network."? Many of the nets I'm in the process of registering result in that, even though they still have multiple hosts responding and are in the whois databases. ------------------------------------------------------------------ Jon Lewis <jlewis () fdt net> | Spammers will be winnuked or Network Administrator | drawn and quartered...whichever Florida Digital Turnpike | is more convenient. ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
Current thread:
- Re: smurf amp nets, (continued)
- Re: smurf amp nets Mikael Abrahamsson (Jun 13)
- Re: smurf amp nets Karl Denninger (Jun 13)
- Re: smurf amp nets ken emery (Jun 13)
- Re: smurf amp nets Craig A. Huegen (Jun 13)
- Re: smurf amp nets Craig A. Huegen (Jun 13)
- Re: smurf amp nets Michael Shields (Jun 13)
- Re: smurf amp nets Oystein Homelien (Jun 14)
- Re: smurf amp nets Eric McClelland (Jun 13)
- Re: Smurf Amp Nets Jon Lewis (Jun 17)
- Re: Smurf Amp Nets Oystein Homelien (Jun 18)
- Re: Smurf Amp Nets Jon Lewis (Jun 17)
- Re: Smurf Amp Nets Jon Lewis (Jun 17)
- Re: Smurf Amp Nets Karl Denninger (Jun 19)
- Re: Smurf Amp Nets Craig A. Huegen (Jun 19)