Bugtraq mailing list archives
Re: 1+2=3, +++ATH0=Old school DoS
From: rossw () ALBURY NET AU (Ross Wheeler)
Date: Mon, 28 Sep 1998 20:48:08 +1000
On Mon, 28 Sep 1998, kill9 wrote:
On Sun, 27 Sep 1998, Brett Glass wrote:Today, it's rare to find a modem that responds to the attack unless there happens to be a long pause in the data stream after the "+++"....Therefore, this DoS attack isn't a big deal. It's easily preventable, rarely effective, and relatively harmless (all you have to do, if it hits, is redial). --Brett GlassI have tested this out here locally, as well as with the help from a few other people onlin and it seems that 6 of 9 modems have been affected. I would hardly call that 'rarely effective', relatively harmless yes, but it seems to be a large percentage. I am interested to see more results as too how wide spread this is.
This was widespread when I was involved in Fidonet. There are two good cures, depending on the modems you use. 1. Make sure you have a guard time of at least a second. Due to licensing restrictions, not all modems implement guard times which is why the problem came about in the first place. 2. Change the escape lead-in sequence to something that's NOT "+++" Most modems will take any character with a decimal number >128 as a DISABLE, and will therefore "prevent" this DoS by ensuring an on-line modem never gets the escape lead-in in the first place. Even if your modem doesn't disable, you can pick some obscure code as an escape character. Don't use things that are likely to occur in normal use, like " " or "---" etc! There was an e-mail exploit some time back (12 months or more) that used exactly the same DoS to hang peoples mail, but simply including the string "+ + + ATH0" (without the spaces) in an e-mail message. When a vulnerable modem attempted to send the text, it went off-line immediately. RossW
Current thread:
- 1+2=3, +++ATH0=Old school DoS Max Schau (Sep 27)
- Re: 1+2=3, +++ATH0=Old school DoS Brett Glass (Sep 27)
- Re: 1+2=3, +++ATH0=Old school DoS kill9 (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Kevin Day (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Ross Wheeler (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS kill9 (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS *unknown* (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Jason (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Tudor Bosman (Sep 28)
- <Possible follow-ups>
- Re: 1+2=3, +++ATH0=Old school DoS Daniel Hauck (Sep 27)
- Re: 1+2=3, +++ATH0=Old school DoS Pete Gonzalez (Sep 27)
- Re: 1+2=3, +++ATH0=Old school DoS John M. Flinchbaugh (Sep 28)
- SHADOW group research indicates distributed probes and attacks Patrick Oonk (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Adrian Gonzalez (Sep 28)
- Modem ATH0 thread route () RESENTMENT INFONEXUS COM (Sep 28)
- IRIX 6.2 passwordless accounts exploit? Dan Stromberg (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS John M. Flinchbaugh (Sep 28)
(Thread continues...)
- Re: 1+2=3, +++ATH0=Old school DoS Brett Glass (Sep 27)