KiwiSDRs Being Restarted - Attack or Poorly Programmed Bot?
Several of us KiwiSDR owners have been experiencing problems starting a few hours ago today, our KiwiSDRS would restart every few (10-20 mostly) minutes. Checking the logs, this seemed to happen just after someone from an IP address 34.x.x.x tried to connect (repeatedly?)
Let me know if you need complete logs. Not sure if you want them posted publicly here, so I won't.
We've taken our KiwiSDRs offline in the meantime.
Comments
Debian/Linux reboot or Kiwi server restart?
It would really help if I could have direct ssh access to the Beagle on a Kiwi with this problem. Then I can run the Kiwi server under the debugger, compile with added debugging code etc to help find the problem.
Send details to the support email please.
Just a server software restart, not a reboot of the system.
I am sending you an email now to jks @ you know where
I want to add.. the IP addresses in question all resolve to Google LLC. Not sure if they are Google itself (indexing bots, etc) or from services they rent out.
I have received no email, not even to my spam inbox.
Please use support @ kiwisdr.com, the official support address.
I am getting these random outages/resets as well. What files would you like to see to analyze?
The log files won't help me at this point.
However, I have code tested and ready to go that will help me diagnose the issue. The problem is that I need ssh-level access to a Kiwi that is frequently experiencing the issue.
35.192.66.49 this is the IP and my log show this...
and
35.226.75.68, 34.72.231.162
over and over....
@jks can i give you a teamviewer to a machine and from there to ssh to my kiwi?
or a vpn....
I just sent you another email, John.
I took the Kiwi offline as it is getting hammered again. I will put it back online when you get the email and reply.
this is also my problem, I am attaching a pdf with the data.
Fabrys
Update:
.... the device blocking problems continue.
Tue Dec 21 11:36:32 00: 35: 45.307 01 .. 1 L ### SECURITY: NO AUTH YET: W / F 4 35.184.226.77 <0.79935413339620910.79935413339620910.79935413339620910.79935413339620910.
... OFFLINE device, in the hope that the problem will be solved.
Same behavior as others have reported, including multiple hits from IP addresses beginning with 34 and 35. I am offline until resolved.
until we receive an update we can block this ip addresses!
How do you block all 34 and 35.x.x.x ip addresses?
This is my blocked ip list
34.72.231.162/16 35.184.226.77/16 35.193.93.106/16 35.226.75.68/16 34.133.26.245/16 34.138.234.38/16 35.227.153.91/16 35.238.253.231/16 35.196.148.15/16 35.192.66.49/16 34.105.56.69/16 34.105.116.190/16 34.74.44.165/16 34.105.56.69/16 35.188.11.56/16 34.83.161.2/16 34.123.109.20/16 34.82.3.252/16 34.134.29.223/16 34.135.119.188/16
Thank's for the update @fabiodidonna !
@KU4SD
/16 it will block from 34.72.0.0 to 34.72.255.254
/8 it will block everything from 34.0.0.0 to 34.255.255.254
you can copy my list and go to admin panel Network and there you have IP address blacklist... just paste my list but don't reboot kiwi server or Beagle because you will lose this list!
All our KiWi's at Weston are being hit too.
We have temporarily taken them off until we can blacklist the offenders.
I am not able to access my KIWI since it is at a different location, but I will blacklist 34 and 35 this afternoon. Has anyone tried this and has this proven to be an effective corrective action?
Addeds at my blacklist:
35.193.93.106/32 35.226.75.68/32 34.133.26.245/32 34.138.234.38/32 35.227.153.91/32 35.238.253.231/32 35.196.148.15/32 35.192.66.49/32 34.105.56.69/32 34.105.116.190/32 34.74.44.165/32 35.188.11.56/32 34.83.161.2/32 34.123.109.20/32 34.82.3.252/32 34.134.29.223/32 35.184.226.77/32 34.138.64.141/32 34.132.101.52/32 34.121.145.207/32
I ended up adding 34.0.0.0/8 35.0.0.0/8 to the blocked list on all KiwiSDRs hosted here.
Guys... if you manual blacklist ip's disable Daily restart from Admin panel - Control - Daily restart set to NO!
Too early to tell if effective yet, but I have implemented the block on my four Kiwis. I'm looking at it being a brute force obstacle until the issue gets identified/resolved.
Until we receive an software update this is the only way to block this attack, if they change the ip class we will be affected again!
Hello to all. I have included all the blacklist you posted here, but my KiwiSDR still keeps restarting every 10 minutes o so... is there a way to block as stated a large range of IPs in order to avoid looking for any single IP that offends an causes the KiwiSDR to restart? I mean, is the final solution to put just 34.0.0.0/8 35.0.0.0/8 and nothing else?
I know just enough linux to be dangerous to myself, and I really don't know how to parse the user.log very well. In looking at logs, I cannot tell if an ip element added after rebooting is working. Also, I am seeing suspicious activity from China and Russia in the form of:
"(no identity)" 139.198.178.150 incomplete connection kicked
Can anyone tell me about these incomplete kicked connections?
So far I've run about 30 minutes without a reboot, having added a blacklist for ip class 34 and 35. This seems like a game of whack-a-mole and I may just have to shut down.
We have added 34.0.0.0/8 and 35.0.0.0/8 just to be on the safe side until a better fix is found.
Mine is working for more than 3 hours and is ok with ip's blacklisted!
... but don't reboot kiwi server or Beagle because you will lose this list!
Guys... if you manual blacklist ip's disable Daily restart from Admin panel - Control - Daily restart set to NO!
Neither of these statements is correct. If you make a change in the "IP address blacklist" field on the admin page, network tab, it will be stored in the configuration and persist across restarts. Only clicking the "Download" button will overwrite any manual changes you have made to the field.
It seems that the problems come from these IP groups assigned to Google. So in the blacklist just add these addresses only (without blocking all 34.xxx.xxx.xxx and 35.xxx.xxx.xxx addresses).
34.64.0.0/10 34.128.0.0/10
35.184.0.0/13 35.192.0.0/12 35.240.0.0/13 35.224.0.0/12 35.208.0.0/12
So far, almost 2 hrs without restarts...
I was seeing SYN flood warnings on my router from those addresses earlier. Seems to have slowed down now and no new warnings for several hours.