[aprssig] DOS attack on APRS-IS
Heikki Hannikainen
hessu at hes.iki.fi
Sat Feb 26 04:40:22 EST 2022
Last night there were large amounts of pseudorandom position packets
flooded on a rectangular area in Russia. It's just now happened again.
Peaking 1000-1500 packets per second, normal rate being below 100/sec. The
traffic spikes are visible on APRS-IS server graphs:
http://first.aprs.net:14501/ (click on the blue stats links to plot a
graph of each)
While it's obvious someone is trying to attack Russian hams, it is mostly
causing trouble to people outside Russia, as the packet flood is breaking
services worldwide. The targeting is completely wrong.
The packet rates were large enough to cause problems to APRS-IS clients
digesting the full APRS-IS feed and pushing those to databases, APRS-IS
servers themselves seem to handle the packet rate.
I'll filter this out now on aprs.fi to prevent it from hurting the service
for other parts of the world.
APRS activity during past 24 hours:
https://www.dropbox.com/s/c67f5djy7kx1ul7/aprs-dos-attack-20220226-russia.png?dl=0
What the flooded area looks like right now (if you open this up much later
it'll be gone, and it is also rather heavy on aprs.fi & the web browser):
https://www.dropbox.com/s/l8lcr318zqhvi80/aprs-dos-attack-20220226-russia2.png?dl=0
Raw packets for those look something like this:
https://aprs.fi/?c=raw&call=WI7KWX-10
https://aprs.fi/?c=raw&call=WB69OAJ-3
https://aprs.fi/?c=raw&call=XJ9CZH-87
Similar events have happened in Poland a few times during the past year or
so. This looks fairly similar, messages are in Polish, Google Translate
will translate them to English just fine.
- Hessu, OH7LZB/AF5QT
More information about the aprssig
mailing list