SMURF Detector Software

Mailman List Mirror (Read Only)
1

Hi,

I, as many of you have had to deal with various types of denial of service
attacks or other attacks. A good number of these attacks can be characterized
by one host sending to many destinations, many hosts on one subnet sending
to one destination, one host sending to very similar or the same IP address
(host/port scans) etc.

Confronted with detecting this to warn my customers if they are victims, or
admonish my customers if they are the culprits, I wrote a tool
to give me some indication when this kind of thing is going on, while it
is still happening using netflow data.

I modified Ciscos' fdget program they make available on one of their
ftp sites to look for self similar source or destination addresses in
netflow data blocks. Thanks go to Cisco for leting me distribute this
to the group.

You can give it a try if you want. It is avaliable via anonymous ftp on
venera.isi.edu in subdirectory mon. The file names you will need to
know to retrieve by name are:

smurfind.c C program
README.smurfind documentation
flowdata.h C program definitions (written by cisco folks)
smurfind.rc sample data file

You can't do an ls on the directory. I used version 5 netflow data to debug
the code. I haven't tested it against version 1 or other versions.

B.T.W. The program dumps legitimate data as suspect. If however the rate at
which the program shows suspect data changes, that is when you need to
look more closely.

The output from the program is very valuable to confront the guilty party
to demonstrate that something inapropriate is going on.

Let me know what you think.

Walt Prue
Los Nettos

2

I wrote something like this a few weeks ago, it's included in a package
we've been using at OSU for the past few years. We get scanned in some
form or another about ten times a day :frowning:

ftp://ftp.net.ohio-state.edu/users/maf/cisco/flow-tools.tar.gz

flow-dscan

  match src ip with dst ip and portlist < 1024. Tries to locate
  host and port scans. Includes an ager so it can be run continually
  without eating up an infinite amount of memory. A suppress list
  can also be specified with a src ip, and optional protocol srcport
  and dstport. By disabling the ager and setting the dump state option
  this can be used to create a srcIP to dstIP/portmap<1024 table.

  examples:

  locate port and host scans in rf, but ignore TCP replies from a busy MS
  web server. Don't run in the background.
  echo "12.19.68.8 6 80 -" > dscan.suppress
  flow-dscan < -b rf

  same, but dump the internal state on exit to "statefile"
  flow-dscan -b -s statefile -p < rf

  Connect to flow-capture to process real time flows. Runs in the
  background, logs to syslog LOG_LOCAL6
  nc flow-collector.foobar.edu 9991 | flow-dscan -w

  The statefile is just the internal hash table. It's a mapping of
  srcIP to dstIP's and ports < 1024.

  type=hash bucket depth flags srcIP
  H 0 1 0 152.171.152.171
  type=include nflows dstIP
  I 10777445 128.146.125.90
  type=hash bucket depth flags srcIP
  H 0 5 0 206.12.206.12
  type=include nflows dstIP
  I 4635135 128.146.161.7
  type=include nflows dstIP
  I 19387662 128.146.48.7
  type=port nports portnum
  P 1 53

  -l can be used to load this statefile before processing the flows,
  use for interrupted operation.

  when running live, SIGHUP will reload the suppress list, and SIGUSR1
  will dump state.

  The ager runs every 1000 flows. It runs down a subset of the hash
  table each run, removing records that were created 90,000 flows prior
  to the current. Modify the ager timeout with -t

  The host scanner works by counting the length of the destination IP
  hash chain. If it goes above 64, then the src is considered to
  be scanning. Modify depth trigger with -D.

  The port scanner works by keeping a bitmap of the destination port
  number < 1024 per destination IP. If it goes above 64, the src is
  considered to be port scanning the destination. Modify port trigger
  with -P.

  When a src has been flagged as scanning it will not be reported again
  until the record is aged out and enough flows trigger it again.

  Remove the -b flag and it will run in the background and log via syslog

  Use the built in interface filters to limit detection to inbound or
  outbound scans on a border router. For example if interface 1 is
  the outside (Internet) interface and 2 and 3 are the inside (Campus)
  interfaces

  detect only inbound scans
  flow-dscan -i1 -I2,3

  If you can't figure out the interface numbers, try using flow-print
  first.

  -w is a built in web filter. Use of this could possibly hide real
  scans.

  -m is a built in multicast address filter

  -O,-P,-T can trigger a messages based on excessive octets, packets, or
  flow duration. This can be used to detect denial of service attacks.

  -h lists the other options.