COMMAND

    portmaster

SYSTEMS AFFECTED

    Livingston portmaster

PROBLEM

    Doug Ingraham posted following.  PM3's are susceptible to a  heavy
    DoS attack.  Anyone with access to a decent (T1 or possibly  less)
    Internet connection can completely  hose your ethernet segment  on
    which  your  PM3(s)  live.   This  bug  has  to  do  with  the PM3
    advertising routes on your network, but when packets arrive at the
    PM3, the PM3  stupidly forwards the  packets back to  the gateway,
    causing a packet loop on your network until the TTL expires.

SOLUTION

    The problem has been reported to Lucent and they said they will be
    working on it.   According to Doug Ingraham,  same was on PM2  and
    the solution is an ofilter on the ethernet.  If your pm's ethernet
    address is 192.168.0.10 and if your assigned IP's are 192.168.2.16
    with a  poolsize of  48 as  an example  your filter  needs to look
    like:

        add fil e.out
        set fil e.out 1 permit 192.168.2.32/27
        set fil e.out 2 permit 192.168.2.16/28
        set fil e.out 3 permit 192.168.0.10/32
        set fil e.out 4 deny log

    If  you  have  routes  assigned  by  radius  you will need to also
    include those permits.  This solves the problem because it  allows
    the box to only  source routes that it  is supposed to be  able to
    source.  If you  do this on all  boxes and on your  borders nobody
    will be able to spoof those IP addresses and inject them into your
    network and so they won't  bounce between your PM and  your router
    like they do now a couple of hundred times before the ttl expires.