[aprssig] UNDEFINED?

Lynn W Deffenbaugh (Mr) KJ4ERJ at arrl.net
Thu Apr 30 12:49:59 EDT 2020 

And then there's this change in packets:

> 2020-04-30 12:42:16 EDT:*UNDEFINED 
> <https://aprs.fi/?c=raw&limit=&call=UNDEFINED>*>APRS,TCPIP*,qAC,T2DENMARK:@301642z193.83N/0986.32Euundefined/V1.0*[Invalid 
> uncompressed location]* 2020-04-30 12:42:17 EDT:*undefined 
> <https://aprs.fi/?c=raw&limit=&call=undefined>*>APRS,TCPIP*,qAS,UNDEFINED 
> <https://aprs.fi/?c=raw&limit=&call=UNDEFINED>:@301642z2056.57N/09725.17Euundefined/V1.0*[Rate 
> limited (< 5 sec)]* 2020-04-30 12:42:17 EDT:*undefined 
> <https://aprs.fi/?c=raw&limit=&call=undefined>*>APRS,TCPIP*,qAS,UNDEFINED 
> <https://aprs.fi/?c=raw&limit=&call=UNDEFINED>:@301642z3143.75N/11641.88Euundefined/V1.0*[Rate 
> limited (< 5 sec)]* 2020-04-30 12:42:18 EDT:*UNDEFINED 
> <https://aprs.fi/?c=raw&limit=&call=UNDEFINED>*>APRS,TCPIP*,qAC,T2FRANCE:@301642z1916.39N/09937.08Euundefined/V1.0*[Rate 
> limited (< 5 sec)]*

And with that V1.0 hanging out in the comment, it just smells like a new 
client being authored.

Lynn (D) - KJ4ERJ - Author of APRSISCE for Windows Mobile and Win32

On 4/30/2020 12:45 PM, Lynn W Deffenbaugh (Mr) wrote:
> There are many valid APRS stations that use so-called tactical calls 
> that look just like this one, so any attempt at automatic filtering 
> would not be a good idea.
>
> I'm suspecting it may be one new software implementation that is 
> executing on several devices in different locations.  But that's just 
> a guess.  I didn't look at the servers it was coming through, but that 
> can also be explained by a novice coder that is resolving a 
> round-robin DNS, connecting to the server, logging in, sending the 
> packet and dropping the connection rather than keeping it open.
>
> I think if it were an actual DOS attempt, the tracks wouldn't be 
> following roads if you ignore the physics-defying jumps.
>
> Lynn (D) - KJ4ERJ - Author of APRSISCE for Windows Mobile and Win32
>
>
> On 4/30/2020 11:55 AM, spam8mybrain via aprssig wrote:
>> Is it coming from a single client IP address, or do they have a 
>> botnet driving this?
>>
>> Since UNDEFINED is not a valid callsign, can the backbone servers 
>> blacklist this?
>>
>> Perhaps the servers need a patch so that the callsign-SSID has to 
>> look semi-legitimate (digits and letters, part preceding a hyphen 
>> limited to 6 or 7 characters, etc.). Of course, that level of 
>> hardening would be easy for the evil one to work around by just 
>> forging a legitimate callsign. But let's not document it, since 
>> legitimate users would never be hindered by the constraint.
>>
>> Andrew, KA2DDO
>> author of YAAC
>>
>>
>>
>> -------- Original message --------
>> From: John Langner WB2OSZ <wb2osz at comcast.net>
>> Date: 4/30/20 10:49 (GMT-05:00)
>> To: aprssig at lists.tapr.org
>> Subject: [aprssig] UNDEFINED?
>>
>> This looks like a deliberate attack, not an innocent accidental
>> misconfiguration.
>>
>> It appears to be scanning thru a large number of T2 servers, around the
>> world. The location is bouncing all over the place, perhaps to thwart
>> duplicate removal and fill up the database.
>>
>>
>> At http://ontario.aprs2.net:14501/ we find:
>>
>>
>> 187.210.189.241 UNDEFINED true gpserver  corget.cn No filter
>> set 0d1h0m4.17s 121 2,402 7,676 184,425 21 512
>> 0d0h0m4.249s
>>
>> 2400 packets per hour to the Ontario server alone.
>>
>> This might be an attempt at a denial of service attack.
>>
>>
>>
>>
>> _______________________________________________
>> aprssig mailing list
>> aprssig at lists.tapr.org
>> http://lists.tapr.org/mailman/listinfo/aprssig_lists.tapr.org
>>
>> _______________________________________________
>> aprssig mailing list
>> aprssig at lists.tapr.org
>> http://lists.tapr.org/mailman/listinfo/aprssig_lists.tapr.org
>
>
>
> _______________________________________________
> aprssig mailing list
> aprssig at lists.tapr.org
> http://lists.tapr.org/mailman/listinfo/aprssig_lists.tapr.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tapr.org/pipermail/aprssig_lists.tapr.org/attachments/20200430/3e4e3497/attachment.html>

More information about the aprssig mailing list