[aprssig] DOS attack on APRS-IS

Heikki Hannikainen hessu at hes.iki.fi
Sat Feb 26 04:40:22 EST 2022


Last night there were large amounts of pseudorandom position packets 
flooded on a rectangular area in Russia. It's just now happened again. 
Peaking 1000-1500 packets per second, normal rate being below 100/sec. The 
traffic spikes are visible on APRS-IS server graphs:

http://first.aprs.net:14501/ (click on the blue stats links to plot a 
graph of each)

While it's obvious someone is trying to attack Russian hams, it is mostly 
causing trouble to people outside Russia, as the packet flood is breaking 
services worldwide.  The targeting is completely wrong.

The packet rates were large enough to cause problems to APRS-IS clients 
digesting the full APRS-IS feed and pushing those to databases, APRS-IS 
servers themselves seem to handle the packet rate.

I'll filter this out now on aprs.fi to prevent it from hurting the service 
for other parts of the world.

APRS activity during past 24 hours:
https://www.dropbox.com/s/c67f5djy7kx1ul7/aprs-dos-attack-20220226-russia.png?dl=0

What the flooded area looks like right now (if you open this up much later 
it'll be gone, and it is also rather heavy on aprs.fi & the web browser):
https://www.dropbox.com/s/l8lcr318zqhvi80/aprs-dos-attack-20220226-russia2.png?dl=0

Raw packets for those look something like this:

https://aprs.fi/?c=raw&call=WI7KWX-10
https://aprs.fi/?c=raw&call=WB69OAJ-3 
https://aprs.fi/?c=raw&call=XJ9CZH-87

Similar events have happened in Poland a few times during the past year or 
so. This looks fairly similar, messages are in Polish, Google Translate 
will translate them to English just fine.

   - Hessu, OH7LZB/AF5QT




More information about the aprssig mailing list