Re: Kiwi Forum status?


Phil Karn
 

I'm trying an experiment. Last night I changed the port number of the KiwiSDR. That change has propagated through to the list on http://kiwisdr.com/public. I configured my router to return "administratively prohibited" ICMP messages to attempts to access the old port. And I cleared the blocking list, i.e., every IP address is allowed to access the new port number.

There is as yet no abusive traffic to the new port, but a steady stream of abusive traffic to the old port continues. I just counted 1,183 attempts (TCP syn packets) in a single minute, from the same addresses as before. There are 33 distinct IP addresses. Most are from several well-defined groups of /24 subnets in just a few /16 blocks: 45.43/16, 152.32/16 (the biggie), 128.14/16, 128.1/16, and 107.150/16. These are probably VPN endpoints, but I don't have an easy way to tell -- does anybody know of a good database?

This confirms my hunch that someone set up a rather elaborate bot but isn't watching it very closely. I'm watching to see how long it takes for them to switch to the new port number, or give up and try an entirely different KiwiSDR.

Join wsprdaemon@groups.io to automatically receive all group messages.