Recent Kiwi Problems at ON5KQ


ON5KQ
 

Tom.
"...
Yet, i ponder why anyone would want to attack an SDR? what is the gain? 
Unless the point is to use that device via some known exploit, as a means to perform network discovery and find other assets on a given network?..."

It is not about my network, I guess.... nothing valuable to steal... however I have now rebuild all software of all related hardware.
I switched off Internet completely and reset switcher and router. Then I restored the configuration files of all the network hardware from recent backups. I want to be sure, to keep network clean, as all kiwi's were seemed to be manipulated in software.
I took them from the net and rebuild all software from recent backups

I found many many IP addresses with 34 and 35 numbers and did the same as Rob, blocking all such IP addresses completely.
Some more work to do, before I run the kiwis with wsprdaemon again. They should run non-public with only connection allowed from the wsprdaemon machine...

Ulli




Rob Robinett
 

This forumu.kiwisdr.com forum just opened and a widespread bot attack s the first topic.
For now, it appears to be stopped by blacklisting two ranges of IP addresses:

I ended up adding 34.0.0.0/8 35.0.0.0/8 to the blocked list on all KiwiSDRs hosted here.

The whole message thread can be found at:
http://forum.kiwisdr.com/index.php?p=/discussion/2438/kiwisdrs-being-restarted-attack-or-poorly-programmed-bot

So far neither KPH, KFS or AI6VN/KH6 have been attacked, but I'm sure its only a matter of time.


Bruce KX4AZ
 

Presumably some of the recent vulnerabilities identified in Linux systems are drawing a lot of hacker interest, and I imagine there is a lot of JKS work going on behind the scenes to roll out software patch(es).  If only I had a magic way to upgrade my Linux skills I would be happy to jump in.  For now I can only pass on my appreciation for the skilled folks out there that are likely toiling away. 


WA2TP - Tom
 

I disabled public accessibility some time ago because somehow my connections from WD were randomly my getting kicked off.
This was when it was thought that OV situations were causing the connections to get dropped by WD.

 I was able to prove that this was not the case (at least here) by disconnecting the antenna from the effected Kiwi (1 kiwi at that time) and moving it to another private kiwi. 
Even without an antenna connected, the originally effected KIWI wd channels were randomly getting kicked off. You can see this in the admin page where it shows the uptime/channel.

Shortly after,  I noticed one kiwi was getting shutdown completely. I had to remove the power cable completely to restart.

I then did the following:

Moved the effected kiwi to a new LAN port with a new cable - This had no affect - channels still dropped. 
Monitored power supply voltage -  No anomalies - voltage never dropped below 5.07vdc
I then replaced the kiwi with a new KIWI and BBAI. I gave it the same name, and IP address. 
It was ok for a few days time but then i started to see all connections dropped yet again.

Then this activity of WD channels getting kicked started on other KIWI's.

I was wondering if it was some kind of a MAC flooding attack but i did not see that type of traffic.

As of now, i have done all that I can think of to limit external access of any type, to my KIWI private network.
Firewalls are only good to a certain point. They may keep honest people out but.. I'll leave it at that. 

Yet, i ponder why anyone would want to attack an SDR? what is the gain? 
Unless the point is to use that device via some known exploit, as a means to perform network discovery and find other assets on a given network?
IDK.











From: wsprdaemon@groups.io <wsprdaemon@groups.io> on behalf of ON5KQ <ON5KQ@...>
Sent: Tuesday, December 21, 2021 8:56 AM
To: wsprdaemon@groups.io <wsprdaemon@groups.io>
Subject: Re: [wsprdaemon] Recent Kiwi Problems at ON5KQ
 
I switched off the kiwis/beagles via the admin panel...
Just for your info: None of the kiwis do start up anymore.... so there is more happening...

Its is for later...

Ulli


ON5KQ
 

I switched off the kiwis/beagles via the admin panel...
Just for your info: None of the kiwis do start up anymore.... so there is more happening...

Its is for later...

Ulli


ON5KQ
 

it does not help, Tom. Many many new IP-adressses appear, as needed. I expected that... the blacklist is not a solution now..
I have taken the kiwis offline and think about the best connection to only allow a single internal machine for connection - end of public kiwis.

I will also reinstall all kiwis.... however not now. I have other things to do at the moment...

Ulli


WA2TP - Tom
 

Hi Ulli,

Try just changing the ports from 8073 to something else. I gave  all my kiwi unique intern and external ports in the network tab.

You then must change the ports in the wd config file. 

To monitor a specific up connection you could use CMD window and ping (ipaddress) -t.  When the connection is interrupted you will see a break in the returns. It’s not the best way to do it. 


Tom
WA2TP 


On Dec 21, 2021, at 7:18 AM, ON5KQ <ON5KQ@...> wrote:

you are correct, I think.
I found already 10 different IP addresses, spamming (all indeed starting 34..and 35) and have added them to the blacklist...
However I don't expect it will cure the problem, as such "bad" IP adresses never disappear and will just 'be born' as needed ....

I must try to modify the network, so the kiwi will only accept a connection from the machine running wsprdaemon (a specific internal IP adress - all other connections blocked)
In that case software updates must be done manually, obviously...

Ulli, ON5KQ


ON5KQ
 

you are correct, I think.
I found already 10 different IP addresses, spamming (all indeed starting 34..and 35) and have added them to the blacklist...
However I don't expect it will cure the problem, as such "bad" IP adresses never disappear and will just 'be born' as needed ....

I must try to modify the network, so the kiwi will only accept a connection from the machine running wsprdaemon (a specific internal IP adress - all other connections blocked)
In that case software updates must be done manually, obviously...

Ulli, ON5KQ


hf_linkz
 

all KiwiSDR are currently under DoS attacks, that makes the kiwid crash and reboot, maybe related to your issues ?

check your /var/log/messages and add the ip sources from the very long AUTH-something lines in the ip blacklist until a fix from jks, tip: so far it comes from 34. and 35. which are machines hosted at google

Le mar. 21 déc. 2021 à 10:44, ON5KQ <ON5KQ@...> a écrit :
Recently I have a rather annoying problem with all my kiwis:
After a random time of working, suddenly the kiwi will loose internet connection so the screen (waterfall and spectrum) freezes and  the stats tab in the software shows audio overrun.
Nothing changed here in the installation at all...

I noticed this problem when running wsprdaemon on the kiwis, the freeze of the kiwi causes wsprdaemon to reconnect as soon as the kiwi is available again on the network...

All looked as if I have very short interruption of the internet (probably just msecs) so it causes the kiwi to freeze and not come back until you refresh the browser.
In wsprdaemon the reconnection is established automatically.

However it appears very often: in 15min approximately 3 times the kiwi freezes...

(I switched all timers off in the kiwi admin panel ....hi)

Of cause in wsprdaemon it means the spot performance is significant degraded - that's how I found out this strange behaviour.

What I did so far with no succes:
- complete reinstall of kiwisoftware (Vers 1.481)
- reboot of all related hardware (Router, switches, powersupplies)
- re-arrange network cabling and connect kiwi's directly to Internet without (routers, switches)
- change of browsers (Firefox, Edge, Opera...)
- change of powersupply

So far, nothing changed this faulty situation
It is not one kiwi, but all of them show this problem.

One more thing I found (it may be related to this problem, or it may not)

Usually, when you have free public channels available, the kiwi regularly reports the snr ratio to the website:
http://rx.linkfanel.net/snr.html

My kiwi's don't report the snr status, although activated to do that once per hour....
The data you can find on the website of my kiwi's is very old ... (weeks ago!)

Has anyone found similar problems before ?

Ulli, ON5KQ


ON5KQ
 

Does anyone know about a tool to monitor the internet connection. which would  detect internet outage in the msec range and gives me a report of such events ?
I am using Ubiquity EdgeMax router and haven't yet found out how to detect such WAN outages and document them with the routers own monitor software....

Ulli, ON5KQ


ON5KQ
 

Recently I have a rather annoying problem with all my kiwis:
After a random time of working, suddenly the kiwi will loose internet connection so the screen (waterfall and spectrum) freezes and  the stats tab in the software shows audio overrun.
Nothing changed here in the installation at all...

I noticed this problem when running wsprdaemon on the kiwis, the freeze of the kiwi causes wsprdaemon to reconnect as soon as the kiwi is available again on the network...

All looked as if I have very short interruption of the internet (probably just msecs) so it causes the kiwi to freeze and not come back until you refresh the browser.
In wsprdaemon the reconnection is established automatically.

However it appears very often: in 15min approximately 3 times the kiwi freezes...

(I switched all timers off in the kiwi admin panel ....hi)

Of cause in wsprdaemon it means the spot performance is significant degraded - that's how I found out this strange behaviour.

What I did so far with no succes:
- complete reinstall of kiwisoftware (Vers 1.481)
- reboot of all related hardware (Router, switches, powersupplies)
- re-arrange network cabling and connect kiwi's directly to Internet without (routers, switches)
- change of browsers (Firefox, Edge, Opera...)
- change of powersupply

So far, nothing changed this faulty situation
It is not one kiwi, but all of them show this problem.

One more thing I found (it may be related to this problem, or it may not)

Usually, when you have free public channels available, the kiwi regularly reports the snr ratio to the website:
http://rx.linkfanel.net/snr.html

My kiwi's don't report the snr status, although activated to do that once per hour....
The data you can find on the website of my kiwi's is very old ... (weeks ago!)

Has anyone found similar problems before ?

Ulli, ON5KQ