The KiwiSDR 2 online store is open for orders! Please visit kiwisdr.nz

Call for IP address blacklist contributions

2

Comments

  • I second G8JNJ's suggestion on the option to select automatic updates for the IP blacklist. I would suggest the default be manual, as it is now, and to give the admin a button or a checkbox to enable auto updates.

    Carmine W1EQX

  • Good morning and happy holidays.

    .. this morning after previous IP blacklisting

    120.36.245.22;

    120.36.244.189;

    which access on my Kiwi and remain stable for the entire time allowed by the connection on a frequency in AM mode where there are no transmissions, tired of the last IP to access and being rejected by the blacklist, I found a new parasite connected:


    "(no identity)" (120.36.244.230, unknown location) 1357.82 kHz am z13 1:15:14


    performed a reverse ip:

     120.36.244.230 Asia Pacific Network Information Center (AS4134) - 230.244.36.120.broad.xm.fj.dynamic.163data.com.cn


    and a whois lockup:


    Whois Record for 163Data.com.cn

    How does this work?

    Domain Profile

    Registrar 阿里 云 计算 有限公司 (万 网)

    IANA ID: -

    URL: -

    Whois Server: -

    Registrar Status clientUpdateProhibited, inactive

    Dates 5,280 days old

    Created on 2007-07-11

    Expires on 2022-07-11



    Tech Contact -

    Website

    Website Title None given.


    Whois Record (last updated on 2021-12-24)

    Domain Name: 163data.com.cn

    ROID: 20070711s10011s23187457-cn

    Domain Status: clientUpdateProhibited

    Domain Status: inactive

    Registrant: 中国 电信 集团公司

    Registrant Contact Email: tomorrow@chinatelecom.com.cn

    Sponsoring Registrar: 阿里 云 计算 有限公司 (万 网)

    Registration Time: 2007-07-11 17:04:42

    Expiration Time: 2022-07-11 17:04:42

    DNSSEC: unsigned


    Having said that, I have noticed on my log some lines that I think are suspicious, but being totally ignorant in programming I cannot decipher if they are problems or not. I sent a copy of the log to jks and support@kiwisdr.com, hoping to have an explanation.


    However, in the face of all this I have blacklisted all the 64.536 IPs of the domain 120.36.xxx.xxx [120.36.0.0/16]


    If this has also happened to others, I would appreciate an exchange of views also by private message here on the forum so as not to clog the discussion.


    Greetings

    Fabrys

  • Not seen that one here, thanks will add to the router.

    Merry Christmas

    Stu

  • Good morning and happy holidays.

    I would like to bring to your attention the following IP:

    Fri Dec 31 13:04:25 12:16:07.735 012.  1   L   216.00 kHz  am z7  "37.73.49.143" Ukraine (ARRIVED)
    

    RX1 (37.73.49.143, Ukraine) 262.82 kHz am z7 0:05:02 0:10:15 act

    ... impossible to trace the DNS at least with my checks. As you can see, it is positioned on an (empty) frequency at least at my latitidini and remains fixed there for as long as allowed. Which reminds me (if you scroll up some posts you will find mine from December 24th

    "(no identity)" (120.36.244.230, unknown location) 1357.82 kHz am z13 1:15:14

    ... in both cases frequency free from transmissions with frequency ending [xxxx.82].

    I don't know if he's become paranoid, but these recurring behaviors leave me thinking.

    Obviously, for the avoidance of doubt, it is blacklisted.

    Welcome any comments.

    Fabrys

  • Added 146.148.0.0/17 (Google cloud services) which was caught hammering on proxy host. Please download a new ip blacklist. Remember to save and re-add your local changes to the blacklist.

  • Is it still advisable to keep 34.0.0.0/8 35.0.0.0/8 blacklisted?

  • Definitely. I see all kinds of traffic from those ranges to the proxy server.

  • In v1.485 the admin page, network tab, will show when a new blacklist is available for download.

    No automatic update mechanism yet. That's difficult for a number of reasons.

  • Hi,

    IP-adres 130.211.233.123 constantly bombs my SDR3 so finally the kiwi became unavailable to the public...

    I have added 130.211.233.123/32 to the blacklist... hopefully it helps...


    Ulli, ON5KQ

    P.S.: All kiwis are fully available to the public (4 channels mode per kiwi) - sadly with some very noticable PLC-noise from the neighbors... outside of hambands plc-homeplug users are primary frequency users in Belgium, unfortunately with very high allowed transmission levels

  • jksjks
    edited January 2022

    Thanks. The proxy server sees the same ip targeting other Kiwis. 130.211.0.0/16 is Google cloud. So I added that to the downloadable blacklist. The admin page, network tab, of all Kiwis running v1.485 or later should show that a new download is available.

  • New Vultr seen today 67.219.111.113

    Might be OK, but worth checking logs for issues around that time (IMO).

  • While we are at it, does anyone know more precisely the meaning of the following log messages?

    L "(no identity)" 52.78.147.239 incomplete connection kicked
    

    Is is reasonable to assume these denote some sort of "doorknob twisting" and are hence targets for blacklisting?

  • jksjks
    edited February 2022

    Yeah, "incomplete connection" means someone (not the Kiwi javascript code running in the browser, or kiwiclient/kiwirecorder, or other legitimate Kiwi API user) is not making a valid set of initial Kiwi API calls. That ip address is in the 52.64.0.0/12 CIDR of Amazon EC2. I could add it to the blacklist.

    Eventually we're going to hit the problem of someone having a valid Kiwi-related service in the ip range of a well known cloud provider that is otherwise blacklisted. For example an SSL proxy. The kiwisdr.com services use a cloud provider that is less well known so for now this hasn't been an issue (and specific ip addresses otherwise blacklisted could always be put on a whitelist I guess).

  • Okay, we had a blacklist entry for 52.79.0.0/16 which I replaced with 52.0.0.0/10 and 52.64.0.0/12. Use the download button on your admin page, network tab to get the updated blacklist. Also added 67.219.96.0/20 from Stu's report yesterday.

  • Thank you John.

  • After downloading the shared blacklist, still getting this hit, from a rather large AWS subnet:

    L "(no identity)" 3.35.217.73 incomplete connection kicked
    


    # whois.arin.net

    NetRange:      3.0.0.0 - 3.127.255.255

    CIDR:          3.0.0.0/9

    NetName:       AT-88-Z

    NetHandle:     NET-3-0-0-0-1

    Parent:        NET3 (NET-3-0-0-0-0)

    NetType:       Direct Allocation

    OriginAS:

    Organization:  Amazon Technologies Inc. (AT-88-Z)

    RegDate:       2017-12-20

    Updated:       2021-07-22

  • I have that one blocked at the router from October 2021.

    I only block 3.35.217.0/24 and have not noticed a wider issue (until I post this and they move).

  • Added..

  • New Vultr seen today

    208.85.22.113
    

    In case anyone wonders, I had issues with Vultr so blocked a few addresses, since blocking them I realised I had constant port scans from these ranges, just checked from five days ago and in the order of 10k scans or connection attempts on a non listed SDR. The source IP changes as, I assume, people recognise it.

    Parent company medium scam risk

    https://scamalytics.com/ip/isp/the-constant-company

  • 208.85.16.0/21 added

  • it would be nice to block by name, e.g. * .adsl.xyz.xy and a separate tab for your own list that does not disappear after retrieving a new list like it is now

  • 114.249.0.0/18 Chinese bot, when connected without identification and showing no typical user characteristics, just takes up slots

  • jksjks
    edited March 2022

    You'll need to update to v1.492 (or later) to receive ongoing updates to the ip blacklist.

    A bug was fixed allowing more than 64 entries in the blacklist.

  • v1.493 has an additional, local, writable ip blacklist that won't get overwritten when the primary blacklist is downloaded. See admin page, network tab.

  • Thank you for a great job

  • So I blew my router config, had to use a spare, was visited by some new (Constant Company) addresses.

    139.198.178.150, 70.34.243.4, 155.138.233.149

    139.198.0.0/16 70.34.240.0/20 155.138.224.0/20

  • updated

  • edited March 2022

    IP: 196.247.240.144 looks like bad script without KiwiSDR responses processing...

  • Today's Vultr Canada 208.85.22.113

    208.85.16.0/21

    They must run out soon, I thought IPv4 addresses were in short supply.

This discussion has been closed.