THANKS. That explains it all: 1) Bad guys do a ping on our directed broadcast address 2) Our Cisco (when not equipped with "no ip directed-broadcast") rewrites this into a full broadcast (255.255.255.255) to the MAC broadcast (uuuh - that was unexpected, I thought it simply explodes into a MAC broadcast but stays a directed one on layer 3). 3) A hell of a lot answers flood back to the poor victim (I'm somewhat sure that the real victim was the address these replies went to, if 'da GuYz did this in parallel with some other sites that still respond to broadcast pings the victim is really shot to death [they got 150 MB in some 10 mins only from us]). 4) I stumbled around the part of replies that got off 127.0.0.2 and feared a breakin on one of our machines or customer profiles or at one of our customers. Stats from Radacct and MRTG however didn't see any excess traffic. Now I know why --> 5) The supposed-to-be-cracked 127.0.0.2 source was the set of Maxen in our net. They replied to the ICMP with this source IP for whatever reason. This is of cause a bug, but on the other hand it saved us some bucks - traffic from 127.0.0.2 to somewhere in the Net doesn't match our IP-accounting slot at the upstream ISP ;) Old bug ? I remember that more than a year ago Ascend boxes responded to a directed broadcast not from their own address, but from the directed broadcast address. Thought that was fixed, but not entirely as it seems - it doesn't happen with the directed broadcast any longer, but with 255.255.255.255 it still does. -- Kanther-Line: PGP SSH IDEA MD5 GOST RIPE-MD160 3DES RSA FEAL32 RC4 +-o-+--------------------------------------------------------+-o-+ | o | \\\- Brain Inside -/// | o | | o | ^^^^^^^^^^^^^^ | o | | o | Andre' Beck (ABPSoft) beck@ibh-dd.de XLink PoP Dresden | o | +-o-+--------------------------------------------------------+-o-+ ++ Ascend Users Mailing List ++ To unsubscribe: send unsubscribe to ascend-users-request@bungi.com To get FAQ'd: <<A HREF="http://www.nealis.net/ascend/faq">http://www.nealis.net/ascend/faq</A>> </PRE> <!--X-MsgBody-End--> <!--X-Follow-Ups--> <HR> <STRONG>Follow-Ups</STRONG>: <UL> <LI><STRONG><A HREF="msg11998.html">Re: (ASCEND) 127.0.0.[2-xxx]</A></STRONG></LI> <UL> <LI><EM>From</EM>: Phillip Vandry <vandry@Mlink.NET></LI> </UL> </UL> <!--X-Follow-Ups-End--> <!--X-References--> <STRONG>References</STRONG>: <UL> <LI><STRONG><A HREF="msg11978.html">Re: (ASCEND) 127.0.0.[2-xxx]</A></STRONG></LI> <UL> <LI><EM>From</EM>: Matt Holdrege <matt@ascend.com></LI> </UL> <LI><STRONG><A HREF="msg11980.html">Re: (ASCEND) 127.0.0.[2-xxx]</A></STRONG></LI> <UL> <LI><EM>From</EM>: Michiel Boland <boland@diva.nl></LI> </UL> </UL> <!--X-References-End--> <!--X-BotPNI--> <HR> <UL> <LI>Prev by Date: <STRONG><A HREF="msg11986.html">Re: (ASCEND) Delicated Ports and VPN using Max4048</A></STRONG> </LI> <LI>Next by Date: <STRONG><A HREF="msg11984.html">Re: (ASCEND) Clients DNS</A></STRONG> </LI> <LI>Prev by thread: <STRONG><A HREF="msg11980.html">Re: (ASCEND) 127.0.0.[2-xxx]</A></STRONG> </LI> <LI>Next by thread: <STRONG><A HREF="msg11998.html">Re: (ASCEND) 127.0.0.[2-xxx]</A></STRONG> </LI> <LI>Index(es): <UL> <LI><A HREF="maillist.html#11985"><STRONG>Main</STRONG></A></LI> <LI><A HREF="thrd289.html#11985"><STRONG>Thread</STRONG></A></LI> </UL> </LI> </UL> <!--X-BotPNI-End--> <!--X-User-Footer--> <!--X-User-Footer-End--> </BODY> </HTML>