• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

Makefile.inH A D03-May-2022559 3023

READMEH A D30-Nov-19982.8 KiB7256

config.h.inH A D30-Nov-19981.7 KiB5644

configureH A D03-May-202245 KiB1,4901,210

configure.inH A D23-Nov-1998571 3024

hash.cH A D23-Nov-19981.2 KiB6553

hash.hH A D23-Nov-1998183 108

smurflog.cH A D30-Nov-19985.7 KiB267229

smurflog.hH A D23-Nov-1998376 118

README

1Program
2-------
3  SmurfLog v2.1 by Richard Steenbergen <humble@lightning.net>
4  A program to assist in the logging of smurf attacks.
5
6
7Purpose
8-------
9  This program is designed to log smurf attacks and the amplifier networks.
10  Essentially, it is an ICMP Echo Reply logger with the following twists:
11   - Logging only begins after passing a certain threshold rate of packets/sec
12     and kilobytes/sec from incoming echo replies. This prevents the logging
13     of innocent ping replies.
14   - Only the /24 is logged, and it is only logged once per attack.
15
16  Before this program, if you wanted to log the smurf broadcasts used during
17  an attack, you had to either get to the machine being attacked and start
18  an icmp logger, or run one continuously and pray that the smurf stopped
19  before you ran out of HD space.
20
21  During an average smurf attack, the log files can reach sizes of 800MB or
22  more in 10 to 15 minutes. You must then go through the hastle of grep'ing,
23  awk'ing, sort'ing, and uniq'ing the logs to determine which networks must
24  be mailed. Not exactly a pleasant task, and not everone can get to the
25  machine in time or leave an ICMP logger running.
26
27  SmurfLog solves this problem by providing a simple, low-cpu usage system
28  that records only unique /24's. It can safely be left running on any system
29  and will (should) record only broadcasts used during a genuine smurf attack.
30
31  Of course you are required to use a little common sense. If you ping out
32  while under attack and successfully receive a reply it will be included
33  with the other ips, and of course don't be surprised if you end up with
34  things like 10.0.0.0 0.0.0.0 255.255.255.255 etc, from others poorly
35  configured networks (but you knew that already).
36
37
38Platforms
39---------
40  This has been fully tested of FreeBSD, and compiles cleanly on Linux,
41  OpenBSD, BSDI, and Solaris. Of course, its difficult to find people who
42  are willing to run this and then piss off a packet kiddie, so the best
43  of luck to you, and let me know if you have problems or suggestions.
44
45
46How to use
47----------
48  Run ./configure
49  Edit config.h, change the settings to suit your needs and your network.
50  Run make
51
52  Options:
53    -h		  Display help
54    -p		  Enable promisc mode for selected interface
55    -i <iface>	  Select the interface to monitor
56    -f <filename> Log to a selected file instead of syslog
57
58  By default everything goes to stdout, so you'll most likely want to
59  redirect that to a log file and background it.
60
61  MD5 (smurflog.c) = c2439f95cde6b18ea4e127962d2aaf62
62  MD5 (smurflog.h) = 02eab7814cac5950447b0737f9dc4d0f
63  MD5 (hash.c)     = 585d0b1de4f72bcd4094a6ab0727df7f
64  MD5 (hash.h)     = d356bb0e96f2277daf7ce1625ef03c82
65
66
67Contact
68-------
69  IRC:   humble (EFnet)
70  EMAIL: Richard Steenbergen <humble@lightning.net>
71  WEB:   http://www.bitchx.com/~humble
72