TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
> TIES was an effort by a number of modem manufacturers
> to avoid the Hayes / Haywood (maybe it was Hayward -
> I never remember quite right from THAT long ago) patent
> on the <delay>+ + +<delay> escape to command mode
> for AT command set modems. The key to the patent was the
> <delay>.
I'm also an old fart who remembers this stuff, and it was Dale Heatherington
who was the inventor on the patent. They used to call it the "Heatherington
'302" patent because the last three digits are 302.
For those interested, the patent is US 4,549,302. You can read it online at
either of these two URL's. (Each of these should be all on one line).
<http://www.delphion.com/details?pn=US04549302__>
<http://164.195.100.11/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1
&u=/netahtml/srchnum.htm&r=1&f=G&l=50&s1='4549302'.WKU.&OS=PN/4549302&RS=PN/
4549302>
Since this patent was granted in October of 1985, it should be coming up on
its expiration soon.
> Sorry for the problem that some of you have been
> experiencing and sorry for inflicting this little
> off-topic history lesson on everyone.
It's not really off topic. It's a good reminder that even seemingly
non-security related features of various products we use can end up having a
security implication.
=====================================
MY PHONE NUMBERS HAVE CHANGED! PLEASE MAKE NOTE OF THE NEW ONES BELOW.
=====================================
Tim Farley
Senior Researcher
Internet Security Systems
[EMAIL PROTECTED]
(404) 236-2600
http://www.iss.net
Internet Security Systems - The Power to Protect
=====================================
> TIES was an effort by a number of modem manufacturers
> to avoid the
> Hayes / Haywood (maybe it was Hayward - I never remember
> quite right from
> THAT long ago) patent on the <delay>+ + +<delay> escape to
> command mode
> for AT command set modems. The key to the patent was the
> <delay>. TIES
> manufacturers eliminated the delay and, thus, did NOT have to
> pay royalties
> on the patent. It also mean that, given the right conditions, their
> modems would jump into command mode when receiving a simple "+ + +" in
> the data stream. For some manufacturers, it was a "\r+ + +"
> while some
> required a "+ + +\r", the message in question hit both.
>
> (Note: I'm spacing out the pluses just to be sure I don't trip
> over some REALLY lame TIES modem. :-) )
>
> During the TIES wars, many years ago, some Hayes employees were
> known to include "+ + +ATH0" on a separate line (providing
> both leading and
> trailing newlines) in all of their USENET mail postings and
> E-Mail messages.
> Needless to say, this caused widespread random mayhem and
> didn't enhance
> the reputation of either Hayes nor the modem manufactures one bit.
>
> Now... Here is why I'm subjecting everyone to this little
> history lession...
>
> I recently (about 6 months ago) had an incident with some chumps
> "TIES bombing" an entire ISP. They were flood pinging his
> netblock with
> ICMP echo packets containing "\r+ + +ATH0\r" in the payload.
> What would
> happen was that, when a customer would connect in and get an
> IP address,
> the first ping would cause the ISP's (the outbound) modem to jump into
> command mode and then hang up the phone (they could create even MORE
> mayhem by issuing dial commands in the payload - think about it). The
> ISP was at a total loss trying to figure out why all his PPP dialins
> where hanging up within seconds of connecting till I
> suggested looking at
> this old problem. That was it. All of their banks of modems
> were TIES
> modems. They had to set the escape character to 255 or 127
> to disable the
> escape. But that only fixed SOME of the connections. Some
> customers were
> still broken! The answer was simple! The echo packet was
> getting through
> and being echoed back. Then the customer's modem
> (transmitting back to the
> ISP) would see the + + +ATH0 and jump into command mode and
> hang up the
> phone. Both ends of the link had to be fixed to prevent TIES bombing.
>
> Even some high speed devices, such as ISDN modems, may be
> vulnerable to this problem.
>
> Everyone who was experiencing the duplicate message problem may
> be vulnerable to exactly this style of TIES bombing! This
> can turn into
> a real annoying denial of service attack that is real
> difficult to track
> down and trouble shoot. I can not tell from here, where the faulty
> modems are. They are out there, though.
>
> If you can identify the modems (they may be yours, the ISP you
> connect to, or some other link) here are some recommendations to
> implement or pass along...
>
> Disable the TIES escape recognition by setting the TIES escape
> character (S2 register) to the "disabled" value (127 for most modems,
> 255 for some modems). This value can then be written out to the NVRAM
> of the modem.
>
> To guard against modems being reset back to the factory defaults
> (which would include setting S2=43, the '+' character) any
> software which
> manipulates the modem at the "AT" command level should also
> included the
> string "S2=127" or "S2=255", as appropriate for the modem, in the
> initialization sequence. This should be done for dial in
> initialization
> as well as dial out initialization.
>
> The Time Independent Escape Sequence (TIES) was
> developed as a way
> around patents held by Hayes Microcomputer Products back in
> the days when
> dominant connections were interactive and little binary data was being
> passed over the modems.
>
> TIES is a old technology which is intrinsicly incompatible with
> modern IP connected links with binary data, compressed data,
> or encryted
> data. It's subject to a variety of failures due to hostile action or
> just plain bad luck. All TIES modems, at both ends of IP
> dial-in connections
> need to have the TIES sequence disabled. Unfortunately, too
> many modern
> modems still support and operate with TIES.
>
>
> Sorry for the problem that some of you have been
> experiencing and
> sorry for inflicting this little off-topic history lesson on everyone.
>
> Back to your regularly scheduled programming... :-)
>
> Regards,
> Mike
> ISS Forum Moderator
> --
> Michael H. Warfield, | Voice: (404)236-2807
> Senior Researcher - X-Force | Main: (404)236-2600
> Internet Security Systems, Inc. | E-Mail: [EMAIL PROTECTED]
> [EMAIL PROTECTED]
> 6303 Barfield Road | http://www.iss.net/
> Atlanta, Georgia 30328 | http://www.wittsend.com/mhw/
> | PGP Key: 0xDF1DD471
>
