[aprssig] aprsis DOS in Poland, observation

spam8mybrain spam8mybrain at yahoo.com
Mon Sep 7 20:59:52 EDT 2020

We can't ever stop people from being evil; we can only make it more trouble than it's worth to be evil.
My proposal assumes throttling per connection, with a lower throttling rate for the completely compromised passcode authentication than for PKI authentication. That way, Scott's telemetry devices, which shouldn't be sending packets very fast any way (more than 1 every 10 seconds average would be excessive for that use case) would still work, while the more stringent PKI authentication (much harder to forge) would have a higher throttling threshold. As for multiple attacks from different IP addresses, since only one login per callsign-SSID combination is allowed at a time, multiple IP address hacks would simply disconnect each other, and the low throttling threshold for passcode authentication would make it not worth the attacker's effort.I also propose that a throttling disconnect (regardless of authentication type) should stop accepting traffic from the throttled connection for 10 seconds before sending the throttled status comment and closing the connection, thereby back-pressuring the offender when it fills up its TCP buffer window (alternatively, the traffic could be read and discarded,  so the attacker doesn't get advance notice of the throttling. Also, reconnects from a throttled IP address or callsign-SSID should be rejected for at least 30 seconds.This shouldn't affect any _legitimate_ APRS-IS user, except for those whose callsigns are being forged by the attackers (much like forged caller-ID with illegal telemarketing). Such poor victims may have trouble getting in until the attacker moves on to another callsign.We do need to arrange a more global PKI authentication scheme, but any multi-authority system would have to have a means of ensuring that compromised PKI could be revoked (but only by the victim, not by the attacker), and that attackers could not be issued PKI authentication.Andrew, KA2DDO

-------- Original message --------
From: Patrick <winston at winston1.net> 
Date: 9/7/20  18:06  (GMT-05:00) 
To: Nick VA3NNW <tapr at noseynick.com> 
Cc: TAPR APRS Mailing List <aprssig at lists.tapr.org> 
Subject: Re: [aprssig] aprsis DOS in Poland, observation 

It's not about what you personally have with current dos techniques, it's about exploiting other people who are unaware and often doing something else..  Picture it being run as a browser based JavaScript client, either as a direct IP client or easier to exploit might be for servers which support http send ports, because you could then exploit them through an ajax style query which is basic dynamic web programming these days. In either case you would have random people sending packets just from viewing a webpage, and using a thirst trap of some porn images it would be easy to get lots of those happening.  pOn Mon., Sep. 7, 2020, 5:29 p.m. Nick VA3NNW, <tapr at noseynick.com> wrote:> Hessu mentioned this already, but rate limits may protect against an 
> accidental situation...  but even forcing things right down to 2 
> packets per second as mused by Curt, 1500 - 2000 packets per second 
> can be done with 750-1000 clients which can be done with unique IPs 
> pretty easily meaning there is no way to block it if done on purpose.

If someone has access to 1000 IPs... are these in the same subnet (which 
could be given an aggregated token-bucket of uplink bandwidth), or do 
they already have a botnet that can already DDoS almost anything?

"Nosey" Nick Waterman, VA3NNW/G7RZQ, K2 #5209.
use Std::Disclaimer;    sig at noseynick.net
Modem: How a Southerner asks for seconds...

aprssig mailing list
aprssig at lists.tapr.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tapr.org/pipermail/aprssig_lists.tapr.org/attachments/20200907/9ee12ae7/attachment.html>

More information about the aprssig mailing list