[8048] in bugtraq
Re: 1+2=3, +++ATH0=Old school DoS
daemon@ATHENA.MIT.EDU (Ross Wheeler)
Mon Sep 28 12:20:43 1998
Date: Mon, 28 Sep 1998 20:48:08 +1000
Reply-To: Ross Wheeler <rossw@ALBURY.NET.AU>
From: Ross Wheeler <rossw@ALBURY.NET.AU>
X-To: kill9 <kill9@SUCCEED.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.BSI.3.91.980927235643.13455H-100000@main.succeed.net>
On Mon, 28 Sep 1998, kill9 wrote:
> On Sun, 27 Sep 1998, Brett Glass wrote:
> > Today, it's rare to find a modem that responds to the attack unless there
> > happens to be a long pause in the data stream after the "+++".
> ...
> > Therefore, this DoS attack isn't a big deal. It's easily preventable,
> > rarely effective, and relatively harmless (all you have to do, if it hits,
> > is redial).
> >
> > --Brett Glass
> >
>
> I have tested this out here locally, as well as with the help from a few
> other people onlin and it seems that 6 of 9 modems have been affected. I
> would hardly call that 'rarely effective', relatively harmless yes, but
> it seems to be a large percentage. I am interested to see more results
> as too how wide spread this is.
This was widespread when I was involved in Fidonet. There are two good
cures, depending on the modems you use.
1. Make sure you have a guard time of at least a second.
Due to licensing restrictions, not all modems implement guard times
which is why the problem came about in the first place.
2. Change the escape lead-in sequence to something that's NOT "+++"
Most modems will take any character with a decimal number >128
as a DISABLE, and will therefore "prevent" this DoS by ensuring
an on-line modem never gets the escape lead-in in the first place.
Even if your modem doesn't disable, you can pick some obscure code
as an escape character. Don't use things that are likely to occur
in normal use, like " " or "---" etc!
There was an e-mail exploit some time back (12 months or more) that used
exactly the same DoS to hang peoples mail, but simply including the
string "+ + + ATH0" (without the spaces) in an e-mail message. When a
vulnerable modem attempted to send the text, it went off-line immediately.
RossW
