On Mon, 14 Feb 2000, Roger De Salis wrote:
Had the target insisted the ISP put the "no ip directed broadcast" command on the outgoing line from the ISP to the target, then the Smurf would have not worked.
On the same topic - the Lucent/Ascend equivalent of this is IP-GLOBAL/icmp-reply-directed-bcast, IP-INT/directed-broadcast-allowed, or (on the LCD interface), Ethernet/Mod Config/Reply DirectedBcast and Forward Directed Bcast. In addition, I strongly recommend usage of the Ascend-Source-IP-Check RADIUS attribute in your default RADIUS reply profile. This attribute tells the NAS to enforce the netmask on the *source* address of packets coming in a switched connection. This lets you dispose of all spoofed packets from dialups without the use of a explicit, hard to maintain (and CPU expensive) filter (needs TAOS 7.x and later). -- Josh Bailey (joshbailey(a)lucent.com) "Josh is... at large" -- F.W. --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog