[aprssig] aprsis DOS in Poland, observation

Heikki Hannikainen hessu at hes.iki.fi
Sat Sep 5 04:18:13 EDT 2020


On Fri, 4 Sep 2020, Bill Vodall wrote:

> Is aprs-is under a Denial of Services attack by jankesi and others?
> Looks like multiple packets arriving every second.

The packet rate during the DOS abuse event last night was some 1500-1700 
packets per second at peak.

https://www.dropbox.com/s/tztvaup286vzwnb/aprsfi-polish-abuse-20200904-traffic.png?dl=0

Some APRS-IS clients on the full feed could not take this traffic (too 
slow to process, or too slow network, buffers fill up) and got 
disconnected. As a network traffic rate, it was only around 1.4 Mbit/s sec 
though. Due to a bug, the two APRS-IS data aggregator aprsc instances at 
aprs.fi crashed too, leaving aprs.fi without a data feed.

This is how it looked on the map, screen shot courtesy of Mateusz Szyper 
on the aprs.fi discussion group:

https://www.dropbox.com/s/5wbjtttkkw1munh/aprs-polish-abuse-20200904-map.jpg?dl=0

And here are a few sample packets, showing what the randomly generated 
packets looked like. The coordinates are random, in Poland, with the 
clear intention of polluting the map fully.

2020-09-04 19:48:27 EEST: CI37PA>APDR16,WIDE3-3,qAC,SQ6KPO-1:=5031.68N\01844.35EZ jeszcze nie dojrzalem.
2020-09-04 19:48:46 EEST: CI371PY-3>APDR16,WIDE3-3,qAC,SQ6KPO-1:=5248.72N/01933.83EX sie draznic z ludzmi.
2020-09-04 19:45:58 EEST: CI37PA-21>APDR16,WIDE3-3,qAC,SQ6KPO-1:=5411.38N\01600.85E-2 Jebane kurwy cebulaki.
2020-09-04 19:48:56 EEST: CI37PA-20>APDR16,WIDE3-3,qAC,SQ6KPO-1:=5051.97N/01543.24Eb masz, masz.
2020-09-04 19:49:26 EEST: CI37PA-88>APDR16,WIDE3-3,qAC,SQ6KPO-1:=5002.85N/02147.17Ec pomarancza kurwo niebieska.

Here's more, each source callsign emitted packets at random coordinates 
with comments from some pool of (obscene) text, so you can just pick one 
call and watch:

https://aprs.fi/?c=raw&limit=&call=CI37PA-9

I haven't looked at a large data set yet; these samples were from a very 
small set of a thousand packets that I took a quick look at now. These 
packets were injected using an igate call of SQ6KPO-1 but there's no 
reason why that could not be a random call in the future. Also, it would 
be *very* unlikely that SQ6KPO is the callsign of the person doing this 
abuse - it is more likely that the intention is to abuse him by using his 
callsign.

It's easy to write a client to do this kind of abuse, and easy to improve 
it (make more things random), and after that it's quite difficult to fully 
filter.

This is just to describe what happened, and what you should expect to see 
in the future. We've been lucky to have very little abuse and DOS attacks 
so far.

   - Hessu




More information about the aprssig mailing list