Smurf amp notification script?

Mailman List Mirror (Read Only)
1

> Does anyone have a script that takes a list of IP addresses, looks
> them up in whois, and mails the contact for them and tells them
> they're a smurf amp (with appropriate pointers to self-help files,
> etc)?
>
> If it can read sorted output from Cisco "sh ip cache flow", that'd be
> a bonus.

No, but we'd be interested in this if you come across one. Ronald Guilmette's
ipw (www.e-scrub.com/ipw/) is the closest I've seen, and it's unreliable at
best.

The enclosed hack worked last time I tried it (but no garuntees).
Change occurances of OpNet/op.net to your own name.

  --jeff

#!/usr/local/bin/perl

while( <> ){
    chop;
    $net = $_;
    
    $email = lookup($net);
    while( !$email ){
  sleep 5;
  $email = lookup($net);
    }

    print "$net <$email>\n";
    email( $net, $email ) if $email;
    sleep 2;
}
exit;

sub lookup {
    my($net) = @_;
    my($email, $coord, $netblock);
    
    open(W, "whois -h whois.arin.net $net |");

    $email = '';
    $netblock = '';
    $coord = 0;
    while( <W> ){
  chop;
  
  if( $coord ){
      $coord = 0;
      ($email) = /.*\)\s*(.*)/;
      last;
  }
  $coord = 1 if /Coordinator/;

  if( /NETBLK-/ ){
      $netblock = $_;
      $netblock =~ s/.*\(//;
      $netblock =~ s/\).*//;
  }
    }

    return $email if $email;

    return lookup( $netblock ) if $netblock;

    '';
}

sub email {
    my($net, $email) = @_;

    open(E, "|sendmail -t");
    
    if( $email =~ /NOWHERE/ ){
  print "**** NOWHERE ****\n";
  return;
    }
    
    print E <<EOF

2

> > Does anyone have a script that takes a list of IP addresses, looks
> > them up in whois, and mails the contact for them and tells them
> > they're a smurf amp (with appropriate pointers to self-help files,
> > etc)?
The enclosed hack worked last time I tried it (but no garuntees).
Change occurances of OpNet/op.net to your own name.
#!/usr/local/bin/perl

[snip]

    open(W, "whois -h whois.arin.net $net |");

Ok, that does fine for machines whose authoritive whois record is within
the ARIN whois database, but what about the other two thirds of the globe,
namely RIPE (Europe) and APNIC (Asia-Pacific) ? Congratulations, you've
just emailed either 'nicdb@ripe.net' or 'sysadm@apnic.net' blaming one of
the IP registries for running (in this case) a smurf amplifier.

Please, go and track down the ipw script, its better than nothing as it
does have some knowledge of which whois server to query. That way, you
won't get the ever-so-nicely worded response which basically says 'Ahem.
Go query our whois server for the *correct* information.'.