<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>And then there's this change in packets:</p>
<pre><blockquote type="cite"><span class="raw_line_err" style="box-sizing: border-box; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: nowrap; color: rgb(255, 0, 0); font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-style: initial; text-decoration-color: initial;">2020-04-30 12:42:16 EDT:<span> </span><b style="box-sizing: border-box; font-weight: 700;"><a href="https://aprs.fi/?c=raw&limit=&call=UNDEFINED" style="box-sizing: border-box; background-color: transparent; color: rgb(0, 0, 255); text-decoration: none; cursor: pointer; outline-style: none;">UNDEFINED</a></b>>APRS,TCPIP*,qAC,<a class="moz-txt-link-abbreviated" href="mailto:T2DENMARK:@301642z193.83N/0986.32Euundefined/V1.0">T2DENMARK:@301642z193.83N/0986.32Euundefined/V1.0</a><span> </span><b style="box-sizing: border-box; font-weight: 700;">[Invalid uncompressed location]</b></span>
<span class="raw_line_err" style="box-sizing: border-box; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: nowrap; color: rgb(255, 0, 0); font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-style: initial; text-decoration-color: initial;">2020-04-30 12:42:17 EDT:<span> </span><b style="box-sizing: border-box; font-weight: 700;"><a href="https://aprs.fi/?c=raw&limit=&call=undefined" style="box-sizing: border-box; background-color: transparent; color: rgb(0, 0, 255); text-decoration: none; cursor: pointer; outline-style: none;">undefined</a></b>>APRS,TCPIP*,qAS,<a href="https://aprs.fi/?c=raw&limit=&call=UNDEFINED" style="box-sizing: border-box; background-color: transparent; color: rgb(0, 0, 255); text-decoration: none; cursor: pointer; outline-style: none;">UNDEFINED</a>:@301642z2056.57N/09725.17Euundefined/V1.0<span> </span><b style="box-sizing: border-box; font-weight: 700;">[Rate limited (< 5 sec)]</b></span>
<span class="raw_line_err" style="box-sizing: border-box; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: nowrap; color: rgb(255, 0, 0); font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-style: initial; text-decoration-color: initial;">2020-04-30 12:42:17 EDT:<span> </span><b style="box-sizing: border-box; font-weight: 700;"><a href="https://aprs.fi/?c=raw&limit=&call=undefined" style="box-sizing: border-box; background-color: transparent; color: rgb(0, 0, 255); text-decoration: none; cursor: pointer; outline-style: none;">undefined</a></b>>APRS,TCPIP*,qAS,<a href="https://aprs.fi/?c=raw&limit=&call=UNDEFINED" style="box-sizing: border-box; background-color: transparent; color: rgb(0, 0, 255); text-decoration: none; cursor: pointer; outline-style: none;">UNDEFINED</a>:@301642z3143.75N/11641.88Euundefined/V1.0<span> </span><b style="box-sizing: border-box; font-weight: 700;">[Rate limited (< 5 sec)]</b></span>
<span class="raw_line_err" style="box-sizing: border-box; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: nowrap; color: rgb(255, 0, 0); font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-style: initial; text-decoration-color: initial;">2020-04-30 12:42:18 EDT:<span> </span><b style="box-sizing: border-box; font-weight: 700;"><a href="https://aprs.fi/?c=raw&limit=&call=UNDEFINED" style="box-sizing: border-box; background-color: transparent; color: rgb(0, 0, 255); text-decoration: none; cursor: pointer; outline-style: none;">UNDEFINED</a></b>>APRS,TCPIP*,qAC,<a class="moz-txt-link-abbreviated" href="mailto:T2FRANCE:@301642z1916.39N/09937.08Euundefined/V1.0">T2FRANCE:@301642z1916.39N/09937.08Euundefined/V1.0</a><span> </span><b style="box-sizing: border-box; font-weight: 700;">[Rate limited (< 5 sec)]</b></span></blockquote>
</pre>
<div class="moz-signature">And with that V1.0 hanging out in the
comment, it just smells like a new client being authored.</div>
<div class="moz-signature"><br>
</div>
<div class="moz-signature">Lynn (D) - KJ4ERJ - Author of APRSISCE
for Windows Mobile and Win32
<br>
<br>
</div>
<div class="moz-cite-prefix">On 4/30/2020 12:45 PM, Lynn W
Deffenbaugh (Mr) wrote:<br>
</div>
<blockquote type="cite"
cite="mid:853af3e1-4c0f-5aa5-ca5f-9e39baf48351@arrl.net">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div class="moz-cite-prefix">There are many valid APRS stations
that use so-called tactical calls that look just like this one,
so any attempt at automatic filtering would not be a good idea.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">I'm suspecting it may be one new
software implementation that is executing on several devices in
different locations. But that's just a guess. I didn't look at
the servers it was coming through, but that can also be
explained by a novice coder that is resolving a round-robin DNS,
connecting to the server, logging in, sending the packet and
dropping the connection rather than keeping it open.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">I think if it were an actual DOS
attempt, the tracks wouldn't be following roads if you ignore
the physics-defying jumps.</div>
<div class="moz-cite-prefix"><br>
</div>
Lynn (D) - KJ4ERJ - Author of APRSISCE for Windows Mobile and
Win32 <br>
<div class="moz-signature"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 4/30/2020 11:55 AM, spam8mybrain
via aprssig wrote:<br>
</div>
<blockquote type="cite"
cite="mid:rx15et94h0on1b92w3tfi9av.1588262118599@email.android.com">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
Is it coming from a single client IP address, or do they have a
botnet driving this?
<div><br>
</div>
<div>Since UNDEFINED is not a valid callsign, can the backbone
servers blacklist this?</div>
<div><br>
</div>
<div>Perhaps the servers need a patch so that the callsign-SSID
has to look semi-legitimate (digits and letters, part
preceding a hyphen limited to 6 or 7 characters, etc.). Of
course, that level of hardening would be easy for the evil one
to work around by just forging a legitimate callsign. But
let's not document it, since legitimate users would never be
hindered by the constraint.</div>
<div><br>
</div>
<div>Andrew, KA2DDO</div>
<div>author of YAAC</div>
<div><br>
</div>
<br>
<br>
-------- Original message --------<br>
From: John Langner WB2OSZ <a class="moz-txt-link-rfc2396E"
href="mailto:wb2osz@comcast.net" moz-do-not-send="true"><wb2osz@comcast.net></a>
<br>
Date: 4/30/20 10:49 (GMT-05:00) <br>
To: <a class="moz-txt-link-abbreviated"
href="mailto:aprssig@lists.tapr.org" moz-do-not-send="true">aprssig@lists.tapr.org</a>
<br>
Subject: [aprssig] UNDEFINED? <br>
<br>
This looks like a deliberate attack, not an innocent accidental<br>
misconfiguration.<br>
<br>
It appears to be scanning thru a large number of T2 servers,
around the<br>
world. The location is bouncing all over the place, perhaps to
thwart<br>
duplicate removal and fill up the database.<br>
<br>
<br>
At <a class="moz-txt-link-freetext"
href="http://ontario.aprs2.net:14501/" moz-do-not-send="true">http://ontario.aprs2.net:14501/</a>
we find:<br>
<br>
<br>
187.210.189.241 UNDEFINED true gpserver corget.cn No filter<br>
set 0d1h0m4.17s 121 2,402 7,676 184,425 21 512<br>
0d0h0m4.249s<br>
<br>
2400 packets per hour to the Ontario server alone. <br>
<br>
This might be an attempt at a denial of service attack.<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
aprssig mailing list<br>
<a class="moz-txt-link-abbreviated"
href="mailto:aprssig@lists.tapr.org" moz-do-not-send="true">aprssig@lists.tapr.org</a><br>
<a class="moz-txt-link-freetext"
href="http://lists.tapr.org/mailman/listinfo/aprssig_lists.tapr.org"
moz-do-not-send="true">http://lists.tapr.org/mailman/listinfo/aprssig_lists.tapr.org</a><br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
aprssig mailing list
<a class="moz-txt-link-abbreviated" href="mailto:aprssig@lists.tapr.org" moz-do-not-send="true">aprssig@lists.tapr.org</a>
<a class="moz-txt-link-freetext" href="http://lists.tapr.org/mailman/listinfo/aprssig_lists.tapr.org" moz-do-not-send="true">http://lists.tapr.org/mailman/listinfo/aprssig_lists.tapr.org</a>
</pre>
</blockquote>
<p><br>
</p>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
aprssig mailing list
<a class="moz-txt-link-abbreviated" href="mailto:aprssig@lists.tapr.org">aprssig@lists.tapr.org</a>
<a class="moz-txt-link-freetext" href="http://lists.tapr.org/mailman/listinfo/aprssig_lists.tapr.org">http://lists.tapr.org/mailman/listinfo/aprssig_lists.tapr.org</a>
</pre>
</blockquote>
</body>
</html>