[aprssig] aprsis DOS in Poland, observation
tapr at noseynick.com
Mon Sep 7 14:50:15 EDT 2020
Scott Miller wrote:
> Please have mercy on us embedded implementers! PKI support would be
> fine, as long as there's some other solution available for devices
> that don't have the resources for asymmetric cryptography. A
> pre-shared key, maybe, with any required crypto functions based on
> something with low computational requirements like XXTEA.
THIS. My guess is a fair solution would be something like:
Connect with today's 4-to-5-digit passcode and you can connect but get
your uplink rate-limited to something that's probably perfectly
reasonable for embedded implementers, probably even "normal" RF igates,
but won't allow you to paint poland with profanity
Connect with Mutual TLS (LotW cert *OR* similar "proof you are a ham"
from other national / international licensing bodies PLEASE) and you get
a whole lot more uplink bandwidth, much more suitable for running
high-bandwidth igates or popular APRS services. You probably COULD paint
poland, or at least draw a few scribbles on it, but would be a great way
to get your cert revoked / added to the "deny" list until you can get it
replaced. On the assumption that some hams DO get hacked, but also
recognising that some idiots CAN surprisingly get a ham license... Maybe
a "3 strikes and you're out" rule or something?
Connect with Mutual TLS (cert from / signed by "the backbone people"
when you offered to host a backbone node) and you get all the uplink
bandwidth you could can eat, FAR too much for RF, could definitely paint
poland, BUT you'd get yourself banned from the backbone until your
clearly-hacked cert can be replaced.
PROBABLY no reason to limit DOWNLINK bandwidth? You can / will obviously
use filtered downlink (or no downlink) for embedded applications and/or
RF igates, and I'm not (yet) aware of any way it can be (ab)used for DoS
except possibly DoSing your own downlink?
I have somewhat assumed TCP above. UDP? "Discuss". Mutual DTLS?
HTTP and some of the other submission protocols? "Discuss"
OK, how about RF? Safe to assume you're already rate-limited enough
and/or DF-able enough?
73, Nick VA3NNW
"Nosey" Nick Waterman, VA3NNW/G7RZQ, K2 #5209.
use Std::Disclaimer; sig at noseynick.net
Xerox does it again and again and again and ...
More information about the aprssig