Disable DRM
Hi all,
Im still having a lot for issues with bots (at least I think they are). The come in and go straight to DRM, which in turn hangs the kiwi.
I cannot replicate what they are doing. If I open my self a DRM connection all other channels will continue to run.
This station is coming in via a TOR exist node, used to go to 27005 but now to 27235.
CPU goes to 100% once they come in.
I set DRM to NO for user enabled, but that doesnt seem to matter...
Any idea how to control this?
Thanks in advance
Rick DU6/PE1NSQ
Comments
Hello Rick,
Maybe add rule for block the TOR nodes IP addresses on your router?
73!, Yuri
Hi Yuri,
Yes that would normally be easy. Im only on a provider grade NAT, ie no public facing IP and im using the reverse proxy service from John. So I dont have access to firewal rules.
All i have are the iptables on the kiwi itself. I tried adding the TOR exit node list in there, but thats basically killing the kiwi ...
tbh, all those bots are a problem since a while now ... its taking away the fun away of having a service available for your fellow HAM's ....
73
Rick
I don't understand some things here.
When you say "go straight to DRM and hang the Kiwi" what do you mean exactly? Do these connections show up in the
users
tab of the main control panel with modeDRM
? (or on the adminstatus
page). And when you say "hang" do you mean no other connections can be made and/or existing user connections stop responding? (e.g. audio/waterfall stops).And this continues to happen with DRM disabled on the
extensions
tab of the admin interface? Since this is happening on a regular basis I will connect and take a look..Okay, today's update will address this issue a bit.
Even with DRM disabled, using a modified kiwirecorder I was able to replicate making connections with a mode of "drm" and also initialize the DRM extension. But this didn't result in the DRM extension actually running or "hanging" my Kiwi. It is possible the attacker is doing some more complex API calls to cause this however.
A connection with a mode of "drm" is really only a cosmetic issue. It's basically the same as "iq" mode. It's the Kiwi UI that is also loading the DRM extension when the DRM button is pushed.
So in v1.452 when someone asks for "drm" mode using the API when it is admin-disabled, and the connection is not local, the mode will be forced to "iq". Trying to load the DRM extension under the same conditions will immediately close the extension.
It's likely there are other corner cases in the API like this. I never spent much time designing for a hostile environment. I don't know why you are experiencing such an assault. I wonder what would happen if you change the Kiwi name used with the proxy? It would likely take some human intervention to discover this change and that would tell us something.
Hi John,
Yes on everything ... you see them in users and admin page as DRM and existing connections stop responding, with all connections at the end timing out (ping still works).
I just wanted to check if the kiwi has the updated software already but it has been offline since yesterday night (its close to noon time now).
Update: 1.452 is running already, ill monitor if it happens again....
If i enable DRM, no issues. If that bot comes in, the kiwi stops responding.
Quote
It's likely there are other corner cases in the API like this. I never spent much time designing for a hostile environment. I don't know why you are experiencing such an assault. I wonder what would happen if you change the Kiwi name used with the proxy? It would likely take some human intervention to discover this change and that would tell us something.
/Quote
Can I just change the name of my kiwi without you making an update in the reverse proxy?
Can I just change the name of my kiwi without you making an update in the reverse proxy?
Yes. Just click the "re-register" button after entering the new name and then restart.
cheers ... ill try if I keep on having issues.
So far I have not seen them back ...
Нi all,
I don't know why someone use the TOR for connect to KiwiSDR if he is an honest listener?
Maybe add block TOR network on the proxy.kiwisdr.com server?
It's don't difficult, for example on Ubuntu:
1. install ipset:
>sudo apt install ipset
2. create new set tor:
>sudo ipset -N tor iphash
3. add new bash script like this:
#!/bin/bash
wget -q https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=YOUR_IP -O -|sed '/^#/d' | while read IP
do
ipset -q -A tor $IP
done
4. make it executable and start with sudo, if all fine - check new set:
>sudo ipset -L tor
(you should see a lot of IP's on this set)5. then add this set to INPUT iptables:
>sudo iptables -I INPUT -m set --match-set tor src -j DROP
6. and add to root CRON rule for restart this bash script every 5 hours (for example)...
It's possible a user might use TOR to connect to receivers if their own country takes a dim view of users consuming media from other parts of the world.
There are better ways of tunneling through such a situation, but a user without much technical sophistication might not know them.
@jks I think the update worked ..
I now see in the log:
And they are being kicked off.
Sadly, i think my power supply is dying ... so need to address that too.
@rz3dvp I dont have control over the reverse proxy. So i cannot do that. However, i think i might still be able to do it on the kiwi itself. The problem is that the kiwi is not powerful enough with such a large iptables list ... it becomes very slow.
But your suggestion might work for others who have control over this!
That auto notch command is very strange. It is not current protocol and I'm not even sure it was old protocol at some point (it's difficult to check). It's possible this is from an old version of kiwiclient/kiwirecorder or one of the third-party Kiwi applications.
A connection will get kicked off if it doesn't complete the minimum necessary protocol setup within a period of time. This was to combat a certain type of bad connection behavior we saw earlier.
It seems to do the trick though ...
I changed my hostname as well to get rid of all those connections attempts. So for now it seems to be ok again.
Just waiting for a new powersupply, since the old one seems to be on the verge of breakdown.
Thanks for all your help ...