Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 1+2=3, +++ATH0=Old school DoS

From: rossw () ALBURY NET AU (Ross Wheeler)
Date: Mon, 28 Sep 1998 20:48:08 +1000

On Mon, 28 Sep 1998, kill9 wrote:

On Sun, 27 Sep 1998, Brett Glass wrote:

Today, it's rare to find a modem that responds to the attack unless there
happens to be a long pause in the data stream after the "+++".

...

Therefore, this DoS attack isn't a big deal. It's easily preventable,
rarely effective, and relatively harmless (all you have to do, if it hits,
is redial).

--Brett Glass



I have tested this out here locally, as well as with the help from a few
other people onlin and it seems that 6 of 9 modems have been affected. I
would hardly call that 'rarely effective', relatively harmless yes, but
it seems to be a large percentage.  I am interested to see more results
as too how wide spread this is.


This was widespread when I was involved in Fidonet. There are two good
cures, depending on the modems you use.

1. Make sure you have a guard time of at least a second.
   Due to licensing restrictions, not all modems implement guard times
   which is why the problem came about in the first place.
2. Change the escape lead-in sequence to something that's NOT "+++"
   Most modems will take any character with a decimal number >128
   as a DISABLE, and will therefore "prevent" this DoS by ensuring
   an on-line modem never gets the escape lead-in in the first place.
   Even if your modem doesn't disable, you can pick some obscure code
   as an escape character. Don't use things that are likely to occur
   in normal use, like "   " or "---" etc!

There was an e-mail exploit some time back (12 months or more) that used
exactly the same DoS to hang peoples mail, but simply including the
string "+ + + ATH0" (without the spaces) in an e-mail message. When a
vulnerable modem attempted to send the text, it went off-line immediately.

RossW
Previous By Date Next
Previous By Thread Next

Current thread: