<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body>Well, there's certainly no excuse for a commercial fleet tracking system to be on APRS-IS (except, of course, saving company money by mooching someone else's infrastructure). Thankfully, throttling might discourage them.
<div><br></div><div>Related to throttling, I came up with another discouraging idea for such abusers. Each time a client connects to an APRS-IS server, send comments stating this is an amateur radio only network, and commercial traffic is forbidden by national and international law. Then ignore/discard all of their traffic in both directions for 10 to 30 seconds before resuming normal processing (with throttling). It would be a little annoying for legitimate users with flaky Internet connections, but it might lower our network's usability for commercial purposes beyond their tolerance. After all, we know abusers will ignore the legal notice (that's why they're abusers), but having throttling and outages every time they reconnect should make us less usable for them. And when they research the problem, they might get the hint we don't want them there.</div><div><br></div><div>Andrew, KA2DDO</div><div>author of YAAC and</div><div>professional software engineer for commercial international logistics software (no ad for my employer here)</div><br><br>-------- Original message --------<br>From: Heikki Hannikainen <hessu@hes.iki.fi> <br>Date: 4/30/20 13:52 (GMT-05:00) <br>To: aprssig@lists.tapr.org <br>Subject: Re: [aprssig] UNDEFINED? <br><br><br>Actually, this might be the manufacturer:<br><br>http://www.corget.com/en/<br><br>They have fleet management apps:<br><br>http://www.corget.com/en/fwzc.php?id=7<br><br>corget.cn is listed as the app version in the APRS-IS login string, as <br>described below.<br><br><br>On Thu, 30 Apr 2020, Heikki Hannikainen wrote:<br><br>><br>> Hi,<br>><br>> I agree; if a single callsign of an intentional abuser is filtered <br>> altogether, it is very easy for him to switch to another callsign, and then <br>> it's again much more work for us to filter the second callsign.<br>><br>> If we somehow filter all non-valid-looking callsigns, then he will start <br>> using someone's valid callsign, and then it's even more problematic since <br>> that someone may be quite upset.<br>><br>> But if this is not intentional abuse, rather just a misbehaving client app, <br>> filtering will help.<br>><br>> I have been thinking about a rate limiter on client ports, where a single <br>> client could not accidentally send huge bursts of packets. Such bursts may <br>> potentially cause slower clients or slower interserver links to get <br>> disconnected due to a buffer overrun.<br>><br>><br>> I checked the logs of T2FINLAND of a few days. The connections from UNDEFINED <br>> came from 125 unique IPs (to just T2FINLAND alone), from USA, Mexico, Chile, <br>> Costa Rica, AWS EC2, South Africa, Jersey and Sweden. Mostly <br>> end-user/customer networks (ATT mobile, etc) and some hosting networks. For <br>> many networks (such as the ATT mobile access network) many close-by IP <br>> addresses appeared from the same operator allocation / subnet, indicating <br>> dynamic IP allocation; these could be all the same client just getting <br>> different IPs over time, or multiple clients.<br>><br>> Because there were a lot of IPs around the world, I suspected they may be TOR <br>> exit nodes; but no, none of them are listed in the TOR exit node lookup <br>> service.<br>><br>> So, my *guess* is that some pre-existing vehicle tracking software from China <br>> has recently gained APRS support in a new software version, and without <br>> proper configuration present, it runs with the UNDEFINED callsign and still <br>> transmits positions. Guessing China, because it says "gpserver" as the <br>> application name, and "corget.cn" as the version number. No such domain on <br>> DNS though, but these might help in finding the software.<br>><br>> For aprsc operators, you can look for these IPs like this (shows the number <br>> of connections from each IP):<br>><br>> grep UNDEFINED aprsc.log*|grep -v DEBUG|grep closed|sed -e 's/.*Client TCP <br>> //' -e 's/:.*//'|sort|uniq -c|sort -n|less<br>><br>> and then to look up whether any TOR exit nodes are present:<br>><br>> grep UNDEFINED aprsc-t2finland.*|grep -v DEBUG|grep closed|sed -e 's/.*Client <br>> TCP //' -e 's/:.*//'|sort|uniq|perl -nle 'print(join(".",reverse(split <br>> /\./,$_)) . ".dnsel.torproject.org")' | xargs -n 1 dig +noall +nocomments <br>> +answer<br>><br>><br>> It might be interesting to try to look for log entries using this gpserver <br>> app, but not an UNDEFINED callsign.<br>><br>> As for workaround, maybe I should add a method in aprsc to reject packets <br>> sent by a specific client app (such as 'gpserver' in this case) if so <br>> configured.<br>><br>> But how about if we'll just filter packets originated by UNDEFINED on the T2 <br>> hub servers for now? This will take the rate down and hide this from the core <br>> servers; you'll still see some of these packets if you're connected to the T2 <br>> leaf with one of these clients.<br>><br>><br>> On Thu, 30 Apr 2020, Lynn W Deffenbaugh (Mr) wrote:<br>><br>>> There are many valid APRS stations that use so-called tactical calls that <br>>> look just like this one, so any attempt at automatic<br>>> filtering would not be a good idea.<br>>> <br>>> I'm suspecting it may be one new software implementation that is executing <br>>> on several devices in different locations. But that's<br>>> just a guess. I didn't look at the servers it was coming through, but that <br>>> can also be explained by a novice coder that is<br>>> resolving a round-robin DNS, connecting to the server, logging in, sending <br>>> the packet and dropping the connection rather than<br>>> keeping it open.<br>>> <br>>> I think if it were an actual DOS attempt, the tracks wouldn't be following <br>>> roads if you ignore the physics-defying jumps.<br>>> <br>>> Lynn (D) - KJ4ERJ - Author of APRSISCE for Windows Mobile and Win32<br>>> <br>>> <br>>> On 4/30/2020 11:55 AM, spam8mybrain via aprssig wrote:<br>>> Is it coming from a single client IP address, or do they have a <br>>> botnet driving this?<br>>> Since UNDEFINED is not a valid callsign, can the backbone servers blacklist <br>>> this?<br>>> <br>>> Perhaps the servers need a patch so that the callsign-SSID has to look <br>>> semi-legitimate (digits and letters, part preceding a<br>>> hyphen limited to 6 or 7 characters, etc.). Of course, that level of <br>>> hardening would be easy for the evil one to work around<br>>> by just forging a legitimate callsign. But let's not document it, since <br>>> legitimate users would never be hindered by the<br>>> constraint.<br>>> <br>>> Andrew, KA2DDO<br>>> author of YAAC<br>>> <br>>> <br>>> <br>>> -------- Original message --------<br>>> From: John Langner WB2OSZ <wb2osz@comcast.net><br>>> Date: 4/30/20 10:49 (GMT-05:00)<br>>> To: aprssig@lists.tapr.org<br>>> Subject: [aprssig] UNDEFINED?<br>>> <br>>> This looks like a deliberate attack, not an innocent accidental<br>>> misconfiguration.<br>>> <br>>> It appears to be scanning thru a large number of T2 servers, around the<br>>> world. The location is bouncing all over the place, perhaps to thwart<br>>> duplicate removal and fill up the database.<br>>> <br>>> <br>>> At http://ontario.aprs2.net:14501/ we find:<br>>> <br>>> <br>>> 187.210.189.241 UNDEFINED true gpserver corget.cn No filter<br>>> set 0d1h0m4.17s 121 2,402 7,676 184,425 21 512<br>>> 0d0h0m4.249s<br>>> <br>>> 2400 packets per hour to the Ontario server alone. <br>>> <br>>> This might be an attempt at a denial of service attack.<br>>> <br>>> <br>>> <br>>> <br>>> _______________________________________________<br>>> aprssig mailing list<br>>> aprssig@lists.tapr.org<br>>> http://lists.tapr.org/mailman/listinfo/aprssig_lists.tapr.org<br>>> <br>>> _______________________________________________<br>>> aprssig mailing list<br>>> aprssig@lists.tapr.org<br>>> http://lists.tapr.org/mailman/listinfo/aprssig_lists.tapr.org<br>>> <br>>> <br>>> <br>>> <br>><br>> - Hessu<br>><br><br> - Hessu<br><br>_______________________________________________<br>aprssig mailing list<br>aprssig@lists.tapr.org<br>http://lists.tapr.org/mailman/listinfo/aprssig_lists.tapr.org<br></body></html>