Date: Fri, 6 Nov 1998 01:46:17 -0600
From: owner-bugtraq@netspace.org
To: BUGTRAQ@netspace.org
Subject: various *lame* DoS attacks

Aleph,

None of this is as cool as finding buffer overflows in sshd, but it may be
of interest to some people.

1)  DoS attack against people using AOL

This DoS attack comes from a poor implementation of AOL Instant Messenger's
warn "feature."  You'll need to have AIM to create this DoS attack against
someone using AOL.

How it works:

AOL's Instant Messenger has an option that allows you to "warn" other
users.  If you warn someone who is using Instant Messenger, they are
notified that they've been warned by another user.  What's interesting is
that you can warn people using AOL, and they will not be notified that
they've been warned.  The warning system is based on percentage, and you
can only get someone to a maximum of 35%.  However, if you sign off the
Instant Messenger service, and then sign back on, you'll be able to start
warning them again. (70%)  Repeat the log on/off trick, and continue to
warn your buddy on AOL until they're at 100%.  What happens then is that
they'll be disconnected from AOL if they send more than 1 instant message
every 10-15 seconds.  The AOL person has no idea what has happened to them,
and when they're booted from the service, the message they receive isn't
very informative.  Lots of fun to be had with this one.  (note: you can
only send as many warnings as messages you receive from a person, so you
must engage your target in some type of conversation.)

Fix:

1) Don't use AOL
2) If you use AOL, don't talk to people using Instant Messenger

Has AOL been notified:

Yes, but they didn't sound too interested since all I got back was a
generic letter.