[aprssig] aprsis DOS in Poland, observation
spam8mybrain at yahoo.com
Mon Sep 7 20:59:52 EDT 2020
We can't ever stop people from being evil; we can only make it more trouble than it's worth to be evil.
My proposal assumes throttling per connection, with a lower throttling rate for the completely compromised passcode authentication than for PKI authentication. That way, Scott's telemetry devices, which shouldn't be sending packets very fast any way (more than 1 every 10 seconds average would be excessive for that use case) would still work, while the more stringent PKI authentication (much harder to forge) would have a higher throttling threshold. As for multiple attacks from different IP addresses, since only one login per callsign-SSID combination is allowed at a time, multiple IP address hacks would simply disconnect each other, and the low throttling threshold for passcode authentication would make it not worth the attacker's effort.I also propose that a throttling disconnect (regardless of authentication type) should stop accepting traffic from the throttled connection for 10 seconds before sending the throttled status comment and closing the connection, thereby back-pressuring the offender when it fills up its TCP buffer window (alternatively, the traffic could be read and discarded, so the attacker doesn't get advance notice of the throttling. Also, reconnects from a throttled IP address or callsign-SSID should be rejected for at least 30 seconds.This shouldn't affect any _legitimate_ APRS-IS user, except for those whose callsigns are being forged by the attackers (much like forged caller-ID with illegal telemarketing). Such poor victims may have trouble getting in until the attacker moves on to another callsign.We do need to arrange a more global PKI authentication scheme, but any multi-authority system would have to have a means of ensuring that compromised PKI could be revoked (but only by the victim, not by the attacker), and that attackers could not be issued PKI authentication.Andrew, KA2DDO
-------- Original message --------
From: Patrick <winston at winston1.net>
Date: 9/7/20 18:06 (GMT-05:00)
To: Nick VA3NNW <tapr at noseynick.com>
Cc: TAPR APRS Mailing List <aprssig at lists.tapr.org>
Subject: Re: [aprssig] aprsis DOS in Poland, observation
> accidental situation... but even forcing things right down to 2
> packets per second as mused by Curt, 1500 - 2000 packets per second
> can be done with 750-1000 clients which can be done with unique IPs
> pretty easily meaning there is no way to block it if done on purpose.
If someone has access to 1000 IPs... are these in the same subnet (which
could be given an aggregated token-bucket of uplink bandwidth), or do
they already have a botnet that can already DDoS almost anything?
"Nosey" Nick Waterman, VA3NNW/G7RZQ, K2 #5209.
use Std::Disclaimer; sig at noseynick.net
Modem: How a Southerner asks for seconds...
aprssig mailing list
aprssig at lists.tapr.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the aprssig