File: 274.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (71 lines) | stat: -rw-r--r-- 1,535 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
Rule:

--
Sid:
274

--
Summary:
This event is generated when an attempt is made to issue a Denial of Service attack that works against some modems.

--
Impact:
The system may be disconnected from it's dial-up connection.

--
Detailed Information:
An ICMP Echo Request is sent to a target system with a payload that
includes "+++ath".  The "+++" is an attention sequence that allows a
user to enter commands to the modem.  "ath" is the modem hangup command.
An ICMP Echo Reply includes the same payload as the associated request.
On some modems, when the machine tries to reply to this packet, "+++ath"
will be interpreted as a command and the modem will hangup.  The remote
address can be spoofed.

--
Affected Systems:
unknown

--
Attack Scenarios:
A user can remotely cause a modem to disconnect.

--
Ease of Attack:
Simple.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Set a guard time on the modem. Contact the modem manufacturer for
details. A guard time will cause the modem to wait after receiving
"+++". Any further input during this wait, including "ath", will be 
disregarded. 

--
Contributors:
Original Rule Writer Unknown
Sourcefire Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>
Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>

--
Additional References:

Arachnids:
http://www.whitehats.com/info/IDS264

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-1999-1228

Security Focus:
http://www.securityfocus.com/archive/1/10706

--