Cloud listening to HFDL frequencies (kiwi_nc.py)

HB9TMCHB9TMC
edited June 28 in KiwiSDR Discussion

I have been seeing connections from cloud networks all over the world receiving HFDL frequencies in the aeronautical bands with I/Q for hours. Either kiwiclient or some custom client.

What could be the purpose of this?

Comments

  • G8JNJG8JNJ

    I wonder if some of the Plane spotter apps are starting to use KiWi's to aggregate HFDL data, as they already do for ADBS and ACARS VDL etc.

    Regards,

    Martin

  • HB9TMCHB9TMC

    I think they wouldn't have dozens of servers at different cloud services. If I block one, they immediately connect from a different network.

    It's almost like a bot net. If i don't limit the channels per IP to 1, they occupy all channels.

  • jksjks

    So we need an alternative. In the past I've added code to determine the unique characteristics of such connections. And If I can distinguish them from legitimate connections then I can disconnect them soon after they connect.

  • HB9TMCHB9TMC
    edited May 10

    Well they look like legitimate kiwirecorder connections.

    I'll try a few things and look how it goes.

    Maybe an option to block non-kiwi connections from non-local networks would be a possibility, but it's not a severe issue at the moment.

    Ah well that works. Let's see how long they try.

    API: non-Kiwi app was denied connection


  • HB9TMCHB9TMC

    And they're gone. I wonder if they show up on other kiwis.

    We have a great aurora show here in southern Switzerland this evening btw.

  • HB9TMCHB9TMC

    So, they keep trying. It does have become a bit of an annoyance.

    I don't want to disable non-kiwi connections permanently, because they're required for example for TDoA.

    I've masked the frequencies to which they're listening to. Since then, they disconnect after 3 minutes. Which means they are actively decoding data. But they still try several times every day, each time from a new IP address/network, more than hundred so far.

    If there's a simple solution to prevent that, it would be nice, otherwise i'll just sit it out.

    May 18 02:03:11 kiwid[746]: 1d:04:04:03.463 0.234567 0        PWD new connection --------------------------------------------------------
May 18 02:03:11 kiwid[746]: 1d:04:04:03.468 0.234567 0        PWD kiwi SND ALLOWED: no user password set, so allow connection from 185.188.255.x
May 18 02:03:12 kiwid[746]: 1d:04:04:04.301 0.234567 0        13351.00 kHz  iq z0  "kiwi_nc.py" 185.188.255.x (ARRIVED)
May 18 02:03:20 kiwid[746]: 1d:04:04:13.076 0.234567 0        API: TRIG=F SND(T3) f_kHz=13351.001 freq_trig=0 hasDelimiter=1 z=0
May 18 02:03:29 kiwid[746]: 1d:04:04:22.094 0.234567 0        GEOLOC: 185.188.255.x sent no geoloc info, we got "London, United Kingdom" from geo host #0
May 18 02:06:08 kiwid[746]: 1d:04:07:00.235 ..234567 0        13351.00 kHz  iq z0  "kiwi_nc.py" 185.188.255.x London, United Kingdom (LEAVING after 0:02:57)
May 18 02:06:14 kiwid[746]: 1d:04:07:06.485 0.234567 0        PWD new connection --------------------------------------------------------
May 18 02:06:14 kiwid[746]: 1d:04:07:06.490 0.234567 0        PWD kiwi SND ALLOWED: no user password set, so allow connection from 185.126.74.y
May 18 02:06:17 kiwid[746]: 1d:04:07:09.233 0.234567 0        13351.00 kHz  iq z0  "kiwi_nc.py" 185.126.74.y (ARRIVED)
May 18 02:06:23 kiwid[746]: 1d:04:07:16.074 0.234567 0        API: TRIG=F SND(T3) f_kHz=13351.001 freq_trig=0 hasDelimiter=1 z=0
May 18 02:06:29 kiwid[746]: 1d:04:07:22.098 0.234567 0        GEOLOC: 185.126.74.y sent no geoloc info, we got "Newark, New Jersey, USA" from geo host #0
May 18 02:09:08 kiwid[746]: 1d:04:10:00.470 ..234567 0        13351.00 kHz  iq z0  "kiwi_nc.py" 185.126.74.y Newark, New Jersey, USA (LEAVING after 0:02:54)

    (replaced parts of the IP with x/y for GDPR reasons 🙄)

  • Enactment9972Enactment9972

    I spent an hour kicking their bot and collecting their IP's about two weeks ago. Connections were identical and came from all over the world.

    The IP list is too long to post here but I already sent it to jks.

  • HB9TMCHB9TMC
    edited May 27

    @Enactment9972

    As a temporary solution, you can mask the frequencies. Here it is 8942, 10081, 13351 and 17928 kHz.

    They will then disconnect after 3 minutes and only try 2-3 times a day.

  • G8JNJG8JNJ

    I'm also seeing it now too.

    I have set "Number of simultaneous channels available for connection by non-Kiwi apps" to none, but it is still trying to tune to the 8942 HFDL frequency for ten seconds before it is kicked off.

    The IP is changing with each attempt, every 30 seconds or so.

    Just a few of the many.

    Sat May 25 17:32:39 00:03:50.354 .12. 0   L 8942.00 kHz iq z0 "kiwi_nc.py" 45.139.59.142 (LEAVING after 0:00:10)

    Sat May 25 17:33:05 00:04:16.333 .12. 0   L 8942.00 kHz iq z0 "kiwi_nc.py" 185.161.252.176 (LEAVING after 0:00:10)

    Sat May 25 17:33:31 00:04:42.328 .12. 0   L 8942.00 kHz iq z0 "kiwi_nc.py" 38.154.198.1 (LEAVING after 0:00:10)

    Sat May 25 17:33:57 00:05:08.365 .12. 0   L 8942.00 kHz iq z0 "kiwi_nc.py" 143.137.166.65 (LEAVING after 0:00:10)

    Sat May 25 17:34:23 00:05:34.345 .12. 0   L 8942.00 kHz iq z0 "kiwi_nc.py" 64.43.117.34 (LEAVING after 0:00:10)

    Sat May 25 17:34:49 00:06:00.354 .12. 0   L 8942.00 kHz iq z0 "kiwi_nc.py" 45.139.39.244 (LEAVING after 0:00:10)

    Sat May 25 17:35:15 00:06:26.348 .12. 0   L 8942.00 kHz iq z0 "kiwi_nc.py" 91.212.123.170 (LEAVING after 0:00:10)

    Sat May 25 17:35:41 00:06:52.356 .12. 0   L 8942.00 kHz iq z0 "kiwi_nc.py" 185.161.255.99 (LEAVING after 0:00:10)

    Sat May 25 17:36:07 00:07:18.365 .12. 0   L 8942.00 kHz iq z0 "kiwi_nc.py" 193.168.201.240 (LEAVING after 0:00:10)

    Sat May 25 17:36:26 00:07:37.332 .1.. 0   L 8942.00 kHz iq z0 "kiwi_nc.py" 45.192.151.67 (LEAVING after 0:00:10)

    Sat May 25 17:36:52 00:08:03.343 .1.. 0   L 8942.00 kHz iq z0 "kiwi_nc.py" 186.179.14.230 (LEAVING after 0:00:10)

    Sat May 25 17:37:18 00:08:29.324 .1.. 0   L 8942.00 kHz iq z0 "kiwi_nc.py" 161.0.29.77 (LEAVING after 0:00:10)

    Sat May 25 17:37:44 00:08:55.334 .1.. 0   L 8942.00 kHz iq z0 "kiwi_nc.py" 161.0.28.31 (LEAVING after 0:00:10)

    Sat May 25 17:38:10 00:09:21.346 .1.. 0   L 8942.00 kHz iq z0 "kiwi_nc.py" 193.168.201.92 (LEAVING after 0:00:10)

  • HB9TMCHB9TMC
    edited June 28

    It seems that they are now also using African IPs, I'm getting a lot of attempts from Morocco, Ethiopia, Egypt.

    I'm disabling non-kiwi apps again, they're now on too many HFDL frequencies to mask.

  • IK8SUTIK8SUT

    Same at this moment at my receiver ... continue attempt from Morocco, Indonesia, Egypt ..... how to resolve? I have set Number of simultaneous channels available for connection by non-Kiwi apps to nome, but continue!

  • HB9TMCHB9TMC

    I have set Number of simultaneous channels available for connection by non-Kiwi apps to nome, but continue!

    They should be kicked after 10 seconds, at least that's what happens here. After a while they give up (for a few hours).

Sign In or Register to comment.