Getting smashed by bots
I don't know what others are experiencing but over the past week or two I've been getting absolutely smashed by bots.
The daily cumulative limit per IP address (three hours on my system) doesn't seem to be making any difference and as the bots are using proxies it's impossible to keep up with them with IP blocking.
Comments
A lot of new Tencent and Alibaba addresses rather than just Vultr this week for me.
Historically it was Vultr for the scans then another IP for connections.
That's just connections at the firewall :8073 rather than to a Kiwi.
I wonder if something is imminent, whatever it is will doubtless make getting chips harder...
I've also had a lot of Alibaba addresses, just sitting on a random frequency for hours on end, and that was on a currently non-public KiWi that I'm testing.
I added 8.192.0.0/11 to my personal balcklist as a precaution, but I'm not sure of a suitable range for Tencent.
Regards,
Martin
Is it any use to change the port to something that has never been advertized or do these bots do port scans looking for a Kiwi? It might be worth trying some out-of-the-way port number, particularly so if some other measure such as Uncomplicated Firewall (UFW) were added in (maybe that could help).
It might also be worth us mapping the locations of target receivers to see if that helps with countermeasures.
I have only had limited problems of this sort but I suppose all Kiwis with Internet access are potential targets so it's hard to say who will be next.
Try to block the TOR network and public VPN services, it's not difficult and there are lot of guides on the Internet how to do that (and on our forum too), of course only accept connection to the correct URL domain name (don't allow connection to IP address).
But if you have public KiwiSDR and its URL is published on the official page, - no need any port scanning, just parse http://kiwisdr.com/public/ and use it. :)
Sorrowly, but no silver bullet for bots or DDoS, its only long way without victory. :)
73! Yuri
I added 107.191.39.0/24 to block a new wave of Vultr scans.
Using random names such as "Lily_Brown"
Jim
You can also mask the 4.5MHz bandwidth they love or any other where they stand by adding it in the DX tab
the masking width can be set freely, effective and simple
If these are really bots and not real people, then this will not stop them. They will listen to masked frequencies and occupy free channels.
I had them (bots) tying up the designated FT8 frequencies on just about every ham band. I masked them all but within days the bots were back on other frequencies.
It worked for me, after a week of masking, they gave up listening where they are unable to pick up, patience.
A while ago I noticed 2 sessions from china on my kiwi with 118-146MHz band
one had its IP 49.77.180.23 and according to what the USERS window showed, it was listening on 241.368.CW ? the second 127.0.0.1 around 130200
After blocking 49.64.0.0/11, it tries to enter dozens of times a minute.