<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">There are many valid APRS stations that
use so-called tactical calls that look just like this one, so any
attempt at automatic filtering would not be a good idea.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">I'm suspecting it may be one new
software implementation that is executing on several devices in
different locations. But that's just a guess. I didn't look at
the servers it was coming through, but that can also be explained
by a novice coder that is resolving a round-robin DNS, connecting
to the server, logging in, sending the packet and dropping the
connection rather than keeping it open.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">I think if it were an actual DOS
attempt, the tracks wouldn't be following roads if you ignore the
physics-defying jumps.</div>
<div class="moz-cite-prefix"><br>
</div>
Lynn (D) - KJ4ERJ - Author of APRSISCE for Windows Mobile and Win32
<br>
<div class="moz-signature"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 4/30/2020 11:55 AM, spam8mybrain via
aprssig wrote:<br>
</div>
<blockquote type="cite"
cite="mid:rx15et94h0on1b92w3tfi9av.1588262118599@email.android.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
Is it coming from a single client IP address, or do they have a
botnet driving this?
<div><br>
</div>
<div>Since UNDEFINED is not a valid callsign, can the backbone
servers blacklist this?</div>
<div><br>
</div>
<div>Perhaps the servers need a patch so that the callsign-SSID
has to look semi-legitimate (digits and letters, part preceding
a hyphen limited to 6 or 7 characters, etc.). Of course, that
level of hardening would be easy for the evil one to work around
by just forging a legitimate callsign. But let's not document
it, since legitimate users would never be hindered by the
constraint.</div>
<div><br>
</div>
<div>Andrew, KA2DDO</div>
<div>author of YAAC</div>
<div><br>
</div>
<br>
<br>
-------- Original message --------<br>
From: John Langner WB2OSZ <a class="moz-txt-link-rfc2396E" href="mailto:wb2osz@comcast.net"><wb2osz@comcast.net></a> <br>
Date: 4/30/20 10:49 (GMT-05:00) <br>
To: <a class="moz-txt-link-abbreviated" href="mailto:aprssig@lists.tapr.org">aprssig@lists.tapr.org</a> <br>
Subject: [aprssig] UNDEFINED? <br>
<br>
This looks like a deliberate attack, not an innocent accidental<br>
misconfiguration.<br>
<br>
It appears to be scanning thru a large number of T2 servers,
around the<br>
world. The location is bouncing all over the place, perhaps to
thwart<br>
duplicate removal and fill up the database.<br>
<br>
<br>
At <a class="moz-txt-link-freetext" href="http://ontario.aprs2.net:14501/">http://ontario.aprs2.net:14501/</a> we find:<br>
<br>
<br>
187.210.189.241 UNDEFINED true gpserver corget.cn No filter<br>
set 0d1h0m4.17s 121 2,402 7,676 184,425 21 512<br>
0d0h0m4.249s<br>
<br>
2400 packets per hour to the Ontario server alone. <br>
<br>
This might be an attempt at a denial of service attack.<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
aprssig mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:aprssig@lists.tapr.org">aprssig@lists.tapr.org</a><br>
<a class="moz-txt-link-freetext" href="http://lists.tapr.org/mailman/listinfo/aprssig_lists.tapr.org">http://lists.tapr.org/mailman/listinfo/aprssig_lists.tapr.org</a><br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
aprssig mailing list
<a class="moz-txt-link-abbreviated" href="mailto:aprssig@lists.tapr.org">aprssig@lists.tapr.org</a>
<a class="moz-txt-link-freetext" href="http://lists.tapr.org/mailman/listinfo/aprssig_lists.tapr.org">http://lists.tapr.org/mailman/listinfo/aprssig_lists.tapr.org</a>
</pre>
</blockquote>
<p><br>
</p>
</body>
</html>