The Saga of glitchy audio/waterfall and a Chinese Bot
For the past day or two, I've been experiencing an issue with glitchy audio & waterfall on some of my KiwiSDRs (there are 7 hosted here). It's been intermittent, and took a while to figure out what's been happening... but I think I did:
I noticed the problem would only start when a certain bot from China would appear in IQ mode, often parked on 5958 kHz but sometimes elsewhere. And this bot would often be on several KiwiSDRs at the same time. Most recently from 18.104.22.168, but also from 22.214.171.124 and maybe other addresses as well, which makes it difficult to completely keep it away. It's geolocated to Bejing, no idea how accurate that is.
Once I put it on the network blacklist and kicked it, the glitching would stop, not immediately but after a few minutes. I reproduced this on several of the KiwiSDRs here, so I think the correlation between the bot & glitches is not coincidental.
I have other users using IQ mode without causing the problem, so I suspect it could well be something the bot is doing, either malevolent or just shoddy programming.
I wanted to let others know about this, in case they observe the problems.
This brings up a question - any chance we could get a way to geoblock entire countries on the KiwiSDR network admin page?
Once again I've had issues with a bot/user from China causing my KiwiSDRs to malfunction while in IQ mode, this time from 126.96.36.199
As he is changing IP addresses to evade my bans, I've now disabled IQ mode on the KiwiSDRs to see if that at least keeps him away.
Unfortunately, misfits like this is why we can't have nice things.
Am I the only one that has never experienced one of these infamous bots?
I wonder what could a bot do to disrupt the normal behavior of the kiwi even in IQ mode. Of course IQ uses more processing power and more bandwidth, but from the web interface I cannot imagine what kind of attack you could perpetrate. Maybe sending very fast requests? How do you tell it's a "Chinese bot"?
@marcogoni If you have the blacklist active they are probably trying but not connecting.
I just looked at some logs and despite not having a Kiwi active at this IP these are today's (12hr) bot type connections. IP and number of connections.
Obviously that is not all, there were a few genuine attempts and some proper hacker type connections but the list above is just bot signatures.
Had missed some early ones
OK, but what does a bot do exactly?
I activated the blacklist only very recently and never had any suspicious activity despite checking and using the kiwi A LOT.
I don't know what the bot extracts from the connection but I do know it locks up the resources and can make the Kiwi unresponsive for other users. Perhaps they snapshot radios in specific geographical locations or they have reason to want to tie up specific Kiwi's that might be on interesting networks.
If it is geographical they might already have a known Kiwi in your location, or perhaps they prefer certain known antennas, without filtering, to perform like for like comparisons. When I put my Kiwi back on I'll have to throw some RF notches at it or dream up some other way to make it fall off the list.
I was just watching a bot on one of my systems. The same IP# was "in" Beijing during one frequency then "in" Taipei on it next frequency. Perhaps they're not in that region at all!
The Vultr addresses could be a VPN to anonymize the source. I was seeing South Korea the other day just from firewall attempts at common Kiwi ports.
I've noticed a predilection for sitting on USAF frequencies. Right now I have one from 188.8.131.52, supposedly Beijing, China, sitting on 11175. Time for another entry in the local blacklist...