[8049] in bugtraq
Re: 1+2=3, +++ATH0=Old school DoS
daemon@ATHENA.MIT.EDU (Kevin Day)
Mon Sep 28 12:53:33 1998
Date: Mon, 28 Sep 1998 04:49:14 -0500
Reply-To: Kevin Day <toasty@HOME.DRAGONDATA.COM>
From: Kevin Day <toasty@HOME.DRAGONDATA.COM>
X-To: kill9@SUCCEED.NET
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.BSI.3.91.980927235643.13455H-100000@main.succeed.net> from
kill9 at "Sep 28, 98 00:02:32 am"
> On Sun, 27 Sep 1998, Brett Glass wrote:
>
> > Today, it's rare to find a modem that responds to the attack unless there
> > happens to be a long pause in the data stream after the "+++".
> ...
> > Therefore, this DoS attack isn't a big deal. It's easily preventable,
> > rarely effective, and relatively harmless (all you have to do, if it hits,
> > is redial).
> >
> > --Brett Glass
> >
>
> I have tested this out here locally, as well as with the help from a few
> other people onlin and it seems that 6 of 9 modems have been affected. I
> would hardly call that 'rarely effective', relatively harmless yes, but
> it seems to be a large percentage. I am interested to see more results
> as too how wide spread this is.
>
> (all tests were done using ping -p 2b2b2b415448300d host )
>
> kill9
>
In doing some testing here on willing victims.... 30% seemed vulnerable with
the ping -p attack.
For IRC users:
//raw NOTICE ToastyMan : $+ $chr(1) $+ PING +++ATH0 $+ $chr(1)
(in mirc)
Also seems to work, and will work through bnc's or whatever proxy you are
going through, since it's part of the irc protocol..... This only worked on
one user though.
So far, A/Open(acer) 56k's were the most common modem that was vulnerable. (3 of
the 6 tested that were vulnerable were using those modems)
I'm working on a 'For Dummies' program that will scan your system for
modems, and ATZ ATS2=255&W Hopefully this'll be fixed. I'll release it
tommorow, and post it here if Aleph doesn't mind.
Kevin Day
DragonData
