> > > CERT Advisory CA-95:01 states: > "It is important to note that the described attack is possible even if no > reply packets can reach the attacker." > > How can this be? If you simulate a connection from trusted host and trusted account to something like the rsh port with the following command: echo "+ +" > .rhosts The attacker doesn't need to see the reply packets, but now he/she is able to rlogin/rsh in from anywhere. -- Christopher William Klaus Voice: (404)518-0099. Fax: (404)518-0030 Internet Security Systems, Inc. Computer Security Consulting 2209 Summit Place Drive, Atlanta, GA. 30350-2450.