[aprssig] aprsis DOS in Poland, observation

Patrick winston at winston1.net
Mon Sep 7 21:07:00 EDT 2020


You missed the part about random callsign/passcode generation.  You also
can't disconnect multiple connections from a call when they're using one of
the load balancing schemes since they will likely be connecting to
different servers.

Adding the server side delay would be problematic to user experience, and
likely could be used to crash a server given the right number of threads
being used triggering themselves into the queues...  What you describe is
literally what is done for connection load testing afterall.





On Mon., Sep. 7, 2020, 9:00 p.m. spam8mybrain, <spam8mybrain at yahoo.com>
wrote:

> We can't ever stop people from being evil; we can only make it more
> trouble than it's worth to be evil.
>
> My proposal assumes throttling per connection, with a lower throttling
> rate for the completely compromised passcode authentication than for PKI
> authentication. That way, Scott's telemetry devices, which shouldn't be
> sending packets very fast any way (more than 1 every 10 seconds average
> would be excessive for that use case) would still work, while the more
> stringent PKI authentication (much harder to forge) would have a higher
> throttling threshold.
>
> As for multiple attacks from different IP addresses, since only one login
> per callsign-SSID combination is allowed at a time, multiple IP address
> hacks would simply disconnect each other, and the low throttling threshold
> for passcode authentication would make it not worth the attacker's effort.
>
> I also propose that a throttling disconnect (regardless of authentication
> type) should stop accepting traffic from the throttled connection for 10
> seconds before sending the throttled status comment and closing the
> connection, thereby back-pressuring the offender when it fills up its TCP
> buffer window (alternatively, the traffic could be read and discarded,  so
> the attacker doesn't get advance notice of the throttling. Also, reconnects
> from a throttled IP address or callsign-SSID should be rejected for at
> least 30 seconds.
>
> This shouldn't affect any _legitimate_ APRS-IS user, except for those
> whose callsigns are being forged by the attackers (much like forged
> caller-ID with illegal telemarketing). Such poor victims may have trouble
> getting in until the attacker moves on to another callsign.
>
> We do need to arrange a more global PKI authentication scheme, but any
> multi-authority system would have to have a means of ensuring that
> compromised PKI could be revoked (but only by the victim, not by the
> attacker), and that attackers could not be issued PKI authentication.
>
> Andrew, KA2DDO
>
>
>
> -------- Original message --------
> From: Patrick <winston at winston1.net>
> Date: 9/7/20 18:06 (GMT-05:00)
> To: Nick VA3NNW <tapr at noseynick.com>
> Cc: TAPR APRS Mailing List <aprssig at lists.tapr.org>
> Subject: Re: [aprssig] aprsis DOS in Poland, observation
>
> It's not about what you personally have with current dos techniques, it's
> about exploiting other people who are unaware and often doing something
> else..  Picture it being run as a browser based JavaScript client, either
> as a direct IP client or easier to exploit might be for servers which
> support http send ports, because you could then exploit them through an
> ajax style query which is basic dynamic web programming these days. In
> either case you would have random people sending packets just from viewing
> a webpage, and using a thirst trap of some porn images it would be easy to
> get lots of those happening.
>
> p
>
> On Mon., Sep. 7, 2020, 5:29 p.m. Nick VA3NNW, <tapr at noseynick.com> wrote:
>
>> > Hessu mentioned this already, but rate limits may protect against an
>> > accidental situation...  but even forcing things right down to 2
>> > packets per second as mused by Curt, 1500 - 2000 packets per second
>> > can be done with 750-1000 clients which can be done with unique IPs
>> > pretty easily meaning there is no way to block it if done on purpose.
>>
>> If someone has access to 1000 IPs... are these in the same subnet (which
>> could be given an aggregated token-bucket of uplink bandwidth), or do
>> they already have a botnet that can already DDoS almost anything?
>>
>> --
>> "Nosey" Nick Waterman, VA3NNW/G7RZQ, K2 #5209.
>> use Std::Disclaimer;    sig at noseynick.net
>> Modem: How a Southerner asks for seconds...
>>
>>
>> _______________________________________________
>> aprssig mailing list
>> aprssig at lists.tapr.org
>> http://lists.tapr.org/mailman/listinfo/aprssig_lists.tapr.org
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tapr.org/pipermail/aprssig_lists.tapr.org/attachments/20200907/161d1a18/attachment.html>


More information about the aprssig mailing list