[aprssig] UNDEFINED?

Lynn W Deffenbaugh (Mr) KJ4ERJ at arrl.net
Thu Apr 30 12:45:19 EDT 2020


There are many valid APRS stations that use so-called tactical calls 
that look just like this one, so any attempt at automatic filtering 
would not be a good idea.

I'm suspecting it may be one new software implementation that is 
executing on several devices in different locations.  But that's just a 
guess.  I didn't look at the servers it was coming through, but that can 
also be explained by a novice coder that is resolving a round-robin DNS, 
connecting to the server, logging in, sending the packet and dropping 
the connection rather than keeping it open.

I think if it were an actual DOS attempt, the tracks wouldn't be 
following roads if you ignore the physics-defying jumps.

Lynn (D) - KJ4ERJ - Author of APRSISCE for Windows Mobile and Win32


On 4/30/2020 11:55 AM, spam8mybrain via aprssig wrote:
> Is it coming from a single client IP address, or do they have a botnet 
> driving this?
>
> Since UNDEFINED is not a valid callsign, can the backbone servers 
> blacklist this?
>
> Perhaps the servers need a patch so that the callsign-SSID has to look 
> semi-legitimate (digits and letters, part preceding a hyphen limited 
> to 6 or 7 characters, etc.). Of course, that level of hardening would 
> be easy for the evil one to work around by just forging a legitimate 
> callsign. But let's not document it, since legitimate users would 
> never be hindered by the constraint.
>
> Andrew, KA2DDO
> author of YAAC
>
>
>
> -------- Original message --------
> From: John Langner WB2OSZ <wb2osz at comcast.net>
> Date: 4/30/20 10:49 (GMT-05:00)
> To: aprssig at lists.tapr.org
> Subject: [aprssig] UNDEFINED?
>
> This looks like a deliberate attack, not an innocent accidental
> misconfiguration.
>
> It appears to be scanning thru a large number of T2 servers, around the
> world. The location is bouncing all over the place, perhaps to thwart
> duplicate removal and fill up the database.
>
>
> At  http://ontario.aprs2.net:14501/   we find:
>
>
> 187.210.189.241 UNDEFINED true gpserver  corget.cn No filter
> set 0d1h0m4.17s 121 2,402 7,676 184,425 21 512
> 0d0h0m4.249s
>
> 2400 packets per hour to the Ontario server alone.
>
> This might be an attempt at a denial of service attack.
>
>
>
>
> _______________________________________________
> aprssig mailing list
> aprssig at lists.tapr.org
> http://lists.tapr.org/mailman/listinfo/aprssig_lists.tapr.org
>
> _______________________________________________
> aprssig mailing list
> aprssig at lists.tapr.org
> http://lists.tapr.org/mailman/listinfo/aprssig_lists.tapr.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tapr.org/pipermail/aprssig_lists.tapr.org/attachments/20200430/11db5994/attachment.html>


More information about the aprssig mailing list