On Sat, Jan 13, 2001 at 03:37:51PM +0100, Helmut Springer wrote:
> On Sat 2001-01-13 (16:22), Michael wrote:
> > complaining that are often under +++ATH0 attack. Is their a way to
> > deny +++ATH0 packets from the AS5300 access servers going to our
> > users? It is difficult to ask all our users to disable AT sessions
> the problem is not anything your access server is sending but your
> user's computer sending the string '+++ATH0' to your user's not
> standard compliant modem. the standard defines a short pause
> between the '+++' and the 'AT' command to make sure the modem
> doesn't take any random '+++AT' string sent as command.
Actually, there are two standards, one of which is broken, and one
of which involves the Hayes/Hayward (Haywood?) patent. The broken standard
is called "TIES" for Time Independent Escape Sequence. It was an attempt
by modem manufactures to avoid the Hayward patent. It was a BAD idea.
> a common way to attack is to send ICMP Echo packets (ping) with the
> string '+++ATH0' inside. if the user's system answers the packet
> with ICMP Echo Reply (ping answer) it will send back the payload
> inside too and a crappy modem will see '+++ATH0' and hang up.
It's commonly referred to as TIES bombing. The "ATH0\r" (and
the \r is required) is the payload that tells the modem to hang up.
You can load just about any single string AT sequence (including dialing
back out) in the payload. Sometimes, a leading return (prior to the +++)
is also required but I don't recall which modems do this.
> none of your problems I'd say. anything making your user send this
> contiguous string will make the modem hang up. It's common in IRC
> to send some message in IRC which a user's client might
> automatically return, same effect.
Solution is to set the escape register (S2 I think) to 255 or 127
to disable the escape sequence entirely. Some people have even used a
TIES bomb with the escape sequence of +++ATH0S2=255&W\r to "solve" problems
with some clients who are too dense to figure out how to set the S registers
on their modems. The sequence will hang up the phone on a vulnerable modem,
write the fix to the S register and then save it to NVRAM. When the modem
connects back up, it will no longer respond to the command and is no longer
vulnerable to the TIES bomb. If it's still vulnerable, you then try the
sequence +++ATH0S2=127&W\r to try the other value. Generally, the first
string will do the trick. Either the modem uses the 255 or it accepts it
in leu of 127. Once in a while you will run into a modem that won't accept
255 to disable the escape sequence.
Not recommended unless you warn the client FIRST that you are
about to do that!
I believe that a lot of modems based on some Lucent chip sets are
TIES modems but are not documented or announced as such.
> --
> MfG/best regards, helmut springer Die andern schon scheintot,
> Du springst aufs Podest...
> Du bist besser dran, Brille,
> besser, viel besser als der Rest.
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
