1Program 2------- 3 SmurfLog v2.1 by Richard Steenbergen <humble@lightning.net> 4 A program to assist in the logging of smurf attacks. 5 6 7Purpose 8------- 9 This program is designed to log smurf attacks and the amplifier networks. 10 Essentially, it is an ICMP Echo Reply logger with the following twists: 11 - Logging only begins after passing a certain threshold rate of packets/sec 12 and kilobytes/sec from incoming echo replies. This prevents the logging 13 of innocent ping replies. 14 - Only the /24 is logged, and it is only logged once per attack. 15 16 Before this program, if you wanted to log the smurf broadcasts used during 17 an attack, you had to either get to the machine being attacked and start 18 an icmp logger, or run one continuously and pray that the smurf stopped 19 before you ran out of HD space. 20 21 During an average smurf attack, the log files can reach sizes of 800MB or 22 more in 10 to 15 minutes. You must then go through the hastle of grep'ing, 23 awk'ing, sort'ing, and uniq'ing the logs to determine which networks must 24 be mailed. Not exactly a pleasant task, and not everone can get to the 25 machine in time or leave an ICMP logger running. 26 27 SmurfLog solves this problem by providing a simple, low-cpu usage system 28 that records only unique /24's. It can safely be left running on any system 29 and will (should) record only broadcasts used during a genuine smurf attack. 30 31 Of course you are required to use a little common sense. If you ping out 32 while under attack and successfully receive a reply it will be included 33 with the other ips, and of course don't be surprised if you end up with 34 things like 10.0.0.0 0.0.0.0 255.255.255.255 etc, from others poorly 35 configured networks (but you knew that already). 36 37 38Platforms 39--------- 40 This has been fully tested of FreeBSD, and compiles cleanly on Linux, 41 OpenBSD, BSDI, and Solaris. Of course, its difficult to find people who 42 are willing to run this and then piss off a packet kiddie, so the best 43 of luck to you, and let me know if you have problems or suggestions. 44 45 46How to use 47---------- 48 Run ./configure 49 Edit config.h, change the settings to suit your needs and your network. 50 Run make 51 52 Options: 53 -h Display help 54 -p Enable promisc mode for selected interface 55 -i <iface> Select the interface to monitor 56 -f <filename> Log to a selected file instead of syslog 57 58 By default everything goes to stdout, so you'll most likely want to 59 redirect that to a log file and background it. 60 61 MD5 (smurflog.c) = c2439f95cde6b18ea4e127962d2aaf62 62 MD5 (smurflog.h) = 02eab7814cac5950447b0737f9dc4d0f 63 MD5 (hash.c) = 585d0b1de4f72bcd4094a6ab0727df7f 64 MD5 (hash.h) = d356bb0e96f2277daf7ce1625ef03c82 65 66 67Contact 68------- 69 IRC: humble (EFnet) 70 EMAIL: Richard Steenbergen <humble@lightning.net> 71 WEB: http://www.bitchx.com/~humble 72