aim-warning-DoS.txt

`Date: Fri, 6 Nov 1998 01:46:17 -0600  
From: [email protected]  
To: [email protected]  
Subject: various *lame* DoS attacks  
  
Aleph,  
  
None of this is as cool as finding buffer overflows in sshd, but it may be  
of interest to some people.  
  
1) DoS attack against people using AOL  
  
This DoS attack comes from a poor implementation of AOL Instant Messenger's  
warn "feature." You'll need to have AIM to create this DoS attack against  
someone using AOL.  
  
How it works:  
  
AOL's Instant Messenger has an option that allows you to "warn" other  
users. If you warn someone who is using Instant Messenger, they are  
notified that they've been warned by another user. What's interesting is  
that you can warn people using AOL, and they will not be notified that  
they've been warned. The warning system is based on percentage, and you  
can only get someone to a maximum of 35%. However, if you sign off the  
Instant Messenger service, and then sign back on, you'll be able to start  
warning them again. (70%) Repeat the log on/off trick, and continue to  
warn your buddy on AOL until they're at 100%. What happens then is that  
they'll be disconnected from AOL if they send more than 1 instant message  
every 10-15 seconds. The AOL person has no idea what has happened to them,  
and when they're booted from the service, the message they receive isn't  
very informative. Lots of fun to be had with this one. (note: you can  
only send as many warnings as messages you receive from a person, so you  
must engage your target in some type of conversation.)  
  
Fix:  
  
1) Don't use AOL  
2) If you use AOL, don't talk to people using Instant Messenger  
  
Has AOL been notified:  
  
Yes, but they didn't sound too interested since all I got back was a  
generic letter.  
  
`