Local Access Issue [the bot / IP blacklist thread]

124»

Comments

  • Can someone else respond to this please? (re: what kiwirecorder.py really is) I'm drowning in problems right now..

  • edited June 6

    @o00scorpion00o

    kiwirecorder.py is mechanism for taking the data stream from the Kiwi SDR and recording/processing it locally, in the same way Firefox is software for taking HTML (website) data and rendering it locally.

    If you saw Firefox being used to access your website that is not one person, it is a method, the same with kiwirecorder.py, there are many users, including but not limited to your polite listener.

    Some other users just don't care.

  • edited June 6

    @o00scorpion00o

    Your situation sounds completely different with the exception of kiwirecorder.py being used. Kiwirecorder.py is a python script where you can automate to record data from the kiwisdr's. Anyone and everyone can use it and if they leave the default name in there, they all show up as "kiwirecorder.py." The fact that you were contacted by the individual is enough for me to believe that this isn't the same individual or individuals involved.

    Nobody contacted me or anyone else that I know of since this issue began back in early March. Initially, they were using numerous VPNs to connect to all 4 of my channels at the same time for an extended period of time. Then they evolved to about 1:30 each time every 30 minutes to an hour or so. Had they contacted me, the situation would have been different, but now every time I see any resemblance of kiwirecorder.py, they get bounced and blocked.

    Don't get me wrong, it's a neat script that has it's place and I don't mind my receiver being used for research purposes, but there's just a right way and a wrong way to go about it. Your user did it right by at least letting you know what he was doing. These other folks just don't care, as Powernumpty stated above.

  • My kiwi has been pretty quiet but I had a couple more kiwirecorder hits this past week. One was an OP in China recording EAM messages in one hour segments every hour on the hour so effectively tying up a channel for a whole day before I caught it. I at least know what they were doing.

    The other hit was another 1:33 connection from London. I checked and my device doesn't show a blacklist update available so it should be up to date but this IP range isn't in there from what I can tell. There is a 192.248.144.XXX in there but not 192.248.159.XXX.

    Jun 16 04:08:11 kiwisdr kiwid: 1d:10:26:59.643 01.. 0       58.59 kHz  WF z8  "kiwirecorder.py" 192.248.159.204 (ARRIVED)
    Jun 16 04:09:43 kiwisdr kiwid: 1d:10:28:31.527 .1.. 0    28125.00 kHz  WF z3  "kiwirecorder.py" 192.248.159.204 London, United Kingdom (LEAVING after 0:01:32)
    Jun 16 04:55:21 kiwisdr kiwid: 1d:11:14:09.358 012.   2     58.59 kHz  WF z8  "kiwirecorder.py" 192.248.159.204 (ARRIVED)
    Jun 16 04:56:53 kiwisdr kiwid: 1d:11:15:41.163 .1..   2  28125.00 kHz  WF z3  "kiwirecorder.py" 192.248.159.204 London, United Kingdom (LEAVING after 0:01:32)
    Jun 16 05:40:09 kiwisdr kiwid: 1d:11:58:57.775 01.. 0       58.59 kHz  WF z8  "kiwirecorder.py" 192.248.159.204 (ARRIVED)
    Jun 16 05:41:41 kiwisdr kiwid: 1d:12:00:29.589 .1.. 0    28125.00 kHz  WF z3  "kiwirecorder.py" 192.248.159.204 London, United Kingdom (LEAVING after 0:01:32)
    Jun 16 06:27:22 kiwisdr kiwid: 1d:12:46:10.629 01.. 0       58.59 kHz  WF z8  "kiwirecorder.py" 192.248.159.204 (ARRIVED)
    Jun 16 06:28:54 kiwisdr kiwid: 1d:12:47:42.414 .1.. 0    28125.00 kHz  WF z3  "kiwirecorder.py" 192.248.159.204 London, United Kingdom (LEAVING after 0:01:32)
    Jun 16 07:10:45 kiwisdr kiwid: 1d:13:29:33.507 01.. 0       58.59 kHz  WF z8  "kiwirecorder.py" 192.248.159.204 (ARRIVED)
    Jun 16 07:12:18 kiwisdr kiwid: 1d:13:31:06.419 .1.. 0    28125.00 kHz  WF z3  "kiwirecorder.py" 192.248.159.204 London, United Kingdom (LEAVING after 0:01:33)
    Jun 16 07:56:44 kiwisdr kiwid: 1d:14:15:33.034 01.. 0       58.59 kHz  WF z8  "kiwirecorder.py" 192.248.159.204 (ARRIVED)
    Jun 16 07:58:17 kiwisdr kiwid: 1d:14:17:05.921 .1.. 0    28125.00 kHz  WF z3  "kiwirecorder.py" 192.248.159.204 London, United Kingdom (LEAVING after 0:01:33)
    Jun 16 08:44:14 kiwisdr kiwid: 1d:15:03:02.222 0... 0       58.59 kHz  WF z8  "kiwirecorder.py" 192.248.159.204 (ARRIVED)
    Jun 16 08:45:45 kiwisdr kiwid: 1d:15:04:33.960 .... 0    28125.00 kHz  WF z3  "kiwirecorder.py" 192.248.159.204 London, United Kingdom (LEAVING after 0:01:32)
    Jun 16 09:31:40 kiwisdr kiwid: 1d:15:50:28.074 0... 0       58.59 kHz  WF z8  "kiwirecorder.py" 192.248.159.204 (ARRIVED)
    Jun 16 09:33:12 kiwisdr kiwid: 1d:15:52:00.808 .... 0    28125.00 kHz  WF z3  "kiwirecorder.py" 192.248.159.204 London, United Kingdom (LEAVING after 0:01:33)
    Jun 16 10:20:33 kiwisdr kiwid: 1d:16:39:21.301 0... 0       58.59 kHz  WF z8  "kiwirecorder.py" 192.248.159.204 (ARRIVED)
    Jun 16 10:22:04 kiwisdr kiwid: 1d:16:40:53.033 .... 0    28125.00 kHz  WF z3  "kiwirecorder.py" 192.248.159.204 London, United Kingdom (LEAVING after 0:01:33)
    Jun 16 11:10:16 kiwisdr kiwid: 1d:17:29:04.113 01..  1      58.59 kHz  WF z8  "kiwirecorder.py" 192.248.159.204 (ARRIVED)
    Jun 16 11:11:47 kiwisdr kiwid: 1d:17:30:35.608 0...  1   28125.00 kHz  WF z3  "kiwirecorder.py" 192.248.159.204 London, United Kingdom (LEAVING after 0:01:32)
    Jun 16 11:55:41 kiwisdr kiwid: 1d:18:14:29.302 0... 0       58.59 kHz  WF z8  "kiwirecorder.py" 192.248.159.204 (ARRIVED)
    Jun 16 11:57:12 kiwisdr kiwid: 1d:18:16:01.021 .... 0    28125.00 kHz  WF z3  "kiwirecorder.py" 192.248.159.204 London, United Kingdom (LEAVING after 0:01:32)
    


  • KU4BY - I've had the Chinese bots many times, sitting on USAF frequencies as well. I have 7 KiwiSDRs here, and sometimes the bot(s) will be on all of them. They change IP addresses frequently, so it's a game of whack a mole.

    Besides tying up channels, the major problem is that they also seem to be causing Kiwi operation problems, glitchy audio on other channels. Not sure this is purposely malevolent, but the end result is the same. So I kick/ban them when I see them.

  • @ChrisSmolinski Yeah when we first started noticing this, they weren't showing up in the Admin page because of how they were accessing the receivers so there was no way of kicking or banning them from the GUI. You had to do it at the OS level and I'm not very proficient with linux but I am getting better. My major issue was that they tied up all 4 channels so where I thought I couldn't access it, it turned out that nobody could access it.

    Generally speaking, I'm a fan of automation and research, but if you plan on using my receiver to do it, I would appreciate some sort of heads up explaining what you're doing and maybe some insight into what was gained from it. I'd even provide a designated channel if required. The way it is now, it's more like a DOS attack so I blacklist them every time I see them.

    I haven't noticed any other issues but that doesn't mean that there weren't any.

  • I'm going to try updating the blacklist today (192.248.158.0/23 and 115.171.128.0/18 will be new). This will be the first live test of the recent auto update mechanism, other than my testing.

    Let's see if I can crash every Kiwi worldwide that hasn't opted-out of the updates. As usual when I send out updates I'll be watching map.kiwisdr.com for all the markers to start turning purple 🙄

  • Update: seems to be going okay. 3 public Kiwis observed to have auto-updated properly. The next release will include a hash of the current blacklist used in the info reported by a /status inquiry.

  • I have finally been hit with a suspect series of connections.

    Jul 3 10:22:45 beaglebone kiwid: 9d:14:52:27.584 01.. 0      58.59 kHz WF z8 "Tom.Miller" 65.49.218.21 (ARRIVED)

    Jul 3 10:24:17 beaglebone kiwid: 9d:14:53:59.207 .1.. 0   28125.00 kHz WF z3 "Tom.Miller" 65.49.218.21 Los Angeles, California, USA (LEAVING after 0:01:32)

    Jul 3 14:41:59 beaglebone kiwid: 9d:19:11:41.511 0... 0      58.59 kHz WF z8 "Pony.Stuart" 65.49.218.21 (ARRIVED)

    Jul 3 14:43:30 beaglebone kiwid: 9d:19:13:13.035 .... 0   28125.00 kHz WF z3 "Pony.Stuart" 65.49.218.21 Los Angeles, California, USA (LEAVING after 0:01:32)

    Jul 3 17:27:18 beaglebone kiwid: 9d:21:57:00.776 0... 0      58.59 kHz WF z8 "July_Miller" 65.49.218.21 (ARRIVED)

    Jul 3 17:28:50 beaglebone kiwid: 9d:21:58:32.283 .... 0   28125.00 kHz WF z3 "July_Miller" 65.49.218.21 Los Angeles, California, USA (LEAVING after 0:01:32)

    The same IP but different names.

    They then change IP and go again. All VPNs

    65.49.218.21 IT7 networks

    207.148.70.7 The Constant Company choopa.com

    140.82.24.131 Vultr Holdings LLC

    Jim

  • jksjks
    edited July 5

    I added these, but note 140.82.0.0/18 (0.0:63.255) has been in the blacklist for almost a year. So I don't know how you'd be seeing 140.82.24.131 if you have things configured properly. Make sure you are running a recent software version and have automatically download IP blacklist? set to yes on the admin page, network tab.

    Interesting about the fake names..

  • I looked at my logs again.

    The 140.82.24.131 occurred while the iptable was being rebuilt after I added one of the other addresses.

    Unfortunate timing and not a problem with the blacklist...

    23:01:50.075 0...     ip_blacklist_add_iptables: "iptables -I KIWI -s 27.154.20.0/24 -j DROP" rv=0

    23:01:50.287 0...     ip_blacklist_add_iptables: "iptables -I KIWI -s 27.154.22.0/24 -j DROP" rv=0

    23:01:50.500 0...     ip_blacklist_add_iptables: "iptables -I KIWI -s 34.0.0.0/8 -j DROP" rv=0

    23:01:50.573 0... 0      58.59 kHz WF z8 "Lily" 140.82.24.131 (ARRIVED)

    23:01:50.711 0...     ip_blacklist_add_iptables: "iptables -I KIWI -s 35.0.0.0/8 -j DROP" rv=0

    23:01:51.171 0...     ip_blacklist_add_iptables: "iptables -I KIWI -s 38.106.20.0/24 -j DROP" rv=0

    23:01:51.382 0...     ip_blacklist_add_iptables: "iptables -I KIWI -s 38.143.0.0/16 -j DROP" rv=0

    Jim

Sign In or Register to comment.