Earlier, cc wrote: >>% I believe that a majority of the packets "nuking" connections out there are >>% not perfect fakes; they are distinguishable from the real thing. >>And how do you spot that which makes them distinguishable from the >>real thing? >Not sure, i've never done anything on the topic. I believe that the >widely-distributed nuke.c program's packets (hope I don't over-simplify >this) are FROM the "nuker", but say that the HOST is unreach. So basically >I believe that newer versions of Cisco software check to see if the ICMP >UNREACH is on the same subnet as the host which is unreachable. Something >like that; I was in a detailed discussion about it a few months ago but >that's all I remember, and that might be a little off. Not exactly. Nuke (at least the version I have) was written to run under sunos using NIT. It creates fake packets on the raw ethernet level. When the packet reaches the host it is pretty much indistinguishable from a real icmp port unreachable packet. (oh, btw, nuke sends port unreachable, not host, but a change is obviously trivial). I've already seen nuke ported to several other os's, where it uses sockets instead of NIT. In this case your statment is right. Under sockets the packets have the senders address in them, rather than the host that the packet says in unreachable. In any case, the real solution is to have hosts that check both port numbers in the fake icmp packet. As was mentioned in another message, most current systems do this checking, so nuke (and programs like it) don't work very well. However it is easily possible to make guesses at port numbers if you want to sever a particular connection. -Mike Widner <widnerm@hsdwl.utc.com>