Bugtraq mailing list archives
Re: 1+2=3, +++ATH0=Old school DoS
From: xdesign () HOTMAIL COM (Daniel Hauck)
Date: Mon, 28 Sep 1998 01:24:03 -0500
With all due respect to you and your prior efforts, I will also add that I tested the attack against a random channel on IRC and I downed about 33-40% of the victims tested against. In spite of what you are mentioning, it seems apparent that the folks at Rockwell did not purchase the patent...and Rockwell chipset modems are quite popular these days. My own dialup modem was suseptable to the attack (ref: the pipebomb blew up in my face.) until I fixed that. The stuff at work was also Rockwell based until I fixed it. The results are surprisingly good. Though it's an old attack (from way back in the BBS days) it's still quite valid. --my 2 cents. -----Original Message----- ·ol: Brett Glass <brett () LARIAT ORG> ¶æ: BUGTRAQ () NETSPACE ORG <BUGTRAQ () NETSPACE ORG> ú: 1998N928ú 0:41 ¼: Re: 1+2=3, +++ATH0=Old school DoS
I'm not entirely sure that these "kidz" quite understand what's going on here, so it probably pays to elucidate a bit. Some time ago, Hayes Microcomputer Products got a patent -- known as the "Heatherington patent" -- on its method of doing modem escape sequences. The patent was a "submarine" patent -- that is, one that issues long after others in the industry have begun using the same technique or technology -- and was bitterly disputed by other modem vendors, who didn't want to pay money to Hayes. However, Hayes gradually one most of the lawsuits due to deep pockets, clever lawyers, and the idiosyncrasies of the patent system. The patent involved the timing of the escape sequence: The characters "+++" followed by a 1-second pause. To get around the patent, some modem vendors simply eliminated the pause, so that the sequence +++AT would bring the modem back to command mode in all cases. Hayes, bitter about not being paid royalties by these vendors, sabotaged its own press releases by placing the characters "+++ATH0" at the top of each document and then circulating them widely. (The idea, I suppose, was to make the press believe that other brands of modems were not reliable.) I exposed this primitive denial of service attack in my InfoWorld column in 1991. Eventually, modem chip vendors licensed the patent, so that modem manufacturers didn't need to anymore. At that point, the whole issue became moot and the production of modems that didn't require a pause after the "+++" stopped. Today, it's rare to find a modem that responds to the attack unless there happens to be a long pause in the data stream after the "+++". Most ISPs program their modems to ignore the "+++" sequence, and so make their modems immune to it. You can, too, by setting the proper "S-register" on your modem. (You can still hang up the modem by dropping the DTR line, as virtually all communications programs do nowadays.) Therefore, this DoS attack isn't a big deal. It's easily preventable, rarely effective, and relatively harmless (all you have to do, if it hits, is redial). --Brett Glass
Current thread:
- 1+2=3, +++ATH0=Old school DoS Max Schau (Sep 27)
- Re: 1+2=3, +++ATH0=Old school DoS Brett Glass (Sep 27)
- Re: 1+2=3, +++ATH0=Old school DoS kill9 (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Kevin Day (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Ross Wheeler (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS kill9 (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS *unknown* (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Jason (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Tudor Bosman (Sep 28)
- <Possible follow-ups>
- Re: 1+2=3, +++ATH0=Old school DoS Daniel Hauck (Sep 27)
- Re: 1+2=3, +++ATH0=Old school DoS Pete Gonzalez (Sep 27)
- Re: 1+2=3, +++ATH0=Old school DoS John M. Flinchbaugh (Sep 28)
- SHADOW group research indicates distributed probes and attacks Patrick Oonk (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Adrian Gonzalez (Sep 28)
- Modem ATH0 thread route () RESENTMENT INFONEXUS COM (Sep 28)
- IRIX 6.2 passwordless accounts exploit? Dan Stromberg (Sep 28)
- Re: IRIX 6.2 passwordless accounts exploit? D.A. Harris (Sep 28)
- Re: IRIX 6.2 passwordless accounts exploit? Eugene Bradley (Sep 28)
- Re: Solaris non-root login (was: IRIX 6.2 pass...) Richard Yates SPG (Sep 29)
- mountd- more info (sorry) John Caldwell (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS John M. Flinchbaugh (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Brett Glass (Sep 27)