DOS attack on APRS-IS, 2022-02-26

[Heikki Hannikainen]

Last night there were large amounts of pseudorandom position packets flooded on
a rectangular area in Russia. It's just now happened again. Peaking 1000-1500
packets per second, normal rate being below 100/sec. The traffic spikes are
visible on APRS-IS server graphs:

http://first.aprs.net:14501/ (click on the blue stats links to plot a graph of
each)

While it's obvious someone is trying to attack Russian hams, it is mostly
causing trouble to people outside Russia, as the packet flood is breaking
services worldwide, it is breaking APRS things for everyone. The
targeting is completely wrong.

The packet rates were large enough to cause problems to APRS-IS clients
digesting the full APRS-IS feed and pushing those to databases, APRS-IS servers
themselves seem to handle the packet rate for now.

I'll filter this out now on aprs.fi to prevent it from hurting the service
for other parts of the world. Needless to say, I'd have better things to
do than dealing with this crap.

APRS activity during past 24 hours:
https://www.dropbox.com/s/c67f5djy7kx1ul7/aprs-dos-attack-20220226-russia.png?dl=0

What the flooded area looks like right now (if you open this up much later it'll
be gone, and it is also rather heavy on aprs.fi & the web browser):
https://www.dropbox.com/s/l8lcr318zqhvi80/aprs-dos-attack-20220226-russia2.png?dl=0

Raw packets for those look something like this:

https://aprs.fi/?c=raw&call=WI7KWX-10
https://aprs.fi/?c=raw&call=WB69OAJ-3
https://aprs.fi/?c=raw&call=XJ9CZH-87

Similar events have happened in Poland a few times during the past year or so.
This looks fairly similar, messages are in Polish, Google Translate will
translate them to English just fine.

If you wish to reply, please keep your posts nice and on the *technical*
topic; I wouldn't like to spend time moderating this list a lot. The
whole war thing is nasty enough as it is, and quite close from here.

- Hessu, OH7LZB/AF5QT

[Heikki Hannikainen]

The attack has continued today.

I have configured temporary filtering on aprs.fi to prevent the DOS attack
from breaking the service for all users. Valid APRS data from the affected
area in Russia will not be ingested at aprs.fi for the time being.

For now this is just a pragmatic workaround for the immediate issue of the
attack causing processing delays and overload at aprs.fi.

Deleted 234740 random stations, which were created by this floood, from
the database to stop them from slowing down searches and cluttering search
results.