[Dxspider-support] Here we are again (huge flooding)

Keith, G6NHU g6nhu at me.com
Mon Feb 17 10:55:59 GMT 2025 

I think this is the case for some of them.

For example, EA4RCH-5 is dxfun.com where people can send spots via a web interface, they’re not necessarily logged on to the node itself.

I’m seeing a lot of “Bad Spots” where the originating node is EA4RCH-5 because the user isn’t logged on.  They’re probably not bad spots.

73 Keith
On 17 Feb 2025 at 10:39 +0000, IZ2LSC via Dxspider-support <dxspider-support at tobit.co.uk>, wrote:
> I cannot believe that 60% of the traffic is really a fake. Maybe it is misclassified because it is not possible to identify if the spotter is really connected to a cluster (if the cluster doesn't send pc92).
>
> 73s
> andrea
>
> -->
>
>
> On Mon, Feb 17, 2025 at 11:35 AM IZ2LSC <iz2lsc.andrea at gmail.com> wrote:
> > Iain,
> > if 60% of the traffic is fake and senderverify=2
> >
> > then pc61 is dumped (discarded)
> > as per Dirk mail.
> > If set to 1, pass it onward to other nodes. If set to 2 and it's a PC61 then dump it. If set to 3 then just dump it.
> >
> > Can you clarify where I misunderstood ?
> >
> > -->
> >
> >
> > > On Mon, Feb 17, 2025 at 11:12 AM Iain Philipps <iain.philipps at 77hz.net> wrote:
> > > > Andrea,
> > > >
> > > > You have misunderstood. Legitimate spots are *not* being discarded.
> > > >
> > > > Because:->  most of the traffic sent today is very likely fake. <-
> > > >
> > > >
> > > >
> > > > 73 de WR3D
> > > >
> > > >
> > > >
> > > > From: Dxspider-support <dxspider-support-bounces at tobit.co.uk> On Behalf Of IZ2LSC via Dxspider-support
> > > > Sent: 17 February 2025 10:09
> > > > To: The DXSpider Support list <dxspider-support at tobit.co.uk>
> > > > Cc: IZ2LSC <iz2lsc.andrea at gmail.com>
> > > > Subject: Re: [Dxspider-support] Here we are again (huge flooding)
> > > >
> > > > Kin,
> > > > how many legitimate spots is senderverify=2 discarding during normal conditions?
> > > > I understood this is still work in progress as from Dirk email he got 60% of spots dropped. This is not fine:
> > > >
> > > > "
> > > > The result I got for a morning's traffic (the natural result of a grepdbg on today's log with sendverify set) is:
> > > >
> > > >         60.22 (%)
> > > >
> > > > Or to put it another way, most of the traffic sent today is very likely fake.
> > > >
> > > > Houston, we have a problem...
> > > > "
> > > >
> > > > Andrea
> > > >
> > > > -->
> > > >
> > > >
> > > > On Mon, Feb 17, 2025 at 8:45 AM Kin via Dxspider-support <dxspider-support at tobit.co.uk> wrote:
> > > > > Hi,
> > > > >
> > > > > From the last attack I have seen the following:
> > > > > * Link crashes with partners. With greater impact on those with less hw
> > > > > resources.
> > > > > * Delays of up to 5 minutes in sending spots to users in some of the larger
> > > > > nodes.
> > > > > * More affected on Windows than on Linux.
> > > > > * On my node with 'set/var $DXProt::senderverify 2' the behaviour was as
> > > > > expected, no forged spots were fake.
> > > > >         grep -i "bad spot" 047.dat | wc -l
> > > > >         287005 <-- EA4URE-2
> > > > >         381899 <-- EA3CV-2
> > > > >
> > > > >         1739707974^(*) PCPROT: Bad Spot CR3DX on 14089.6 by
> > > > > N3LPT-3(70.139.124.201)@SM4ONW-14 User N3LPT-3 not on node SM4ONW-14, DUMPED
> > > > >         1739707974^(*) PCPROT: Bad Spot CR3DX on 7025.0 by
> > > > > N0LPT-3(70.139.201.124)@SP6MI-2 User N0LPT-3 not on node SP6MI-2, DUMPED
> > > > >         1739707974^(*) PCPROT: Bad Spot CR3DX on 28431.4 by
> > > > > N3LPT-3(70.139.124.201)@PA0ESH-3 User N3LPT-3 not on node PA0ESH-3, DUMPED
> > > > >         1739707974^(*) PCPROT: Bad Spot CR3DX on 21132.3 by
> > > > > N5LPT-3(70.124.139.201)@GB7NHR User N5LPT-3 not on node GB7NHR, DUMPED
> > > > >         1739707974^(*) PCPROT: Bad Spot CR3DX on 28438.0 by
> > > > > N0LPT-3(70.201.139.124)@PI1LAP-1 User N0LPT-3 not on node PI1LAP-1, DUMPED
> > > > >
> > > > >   On my other node without enabling this feature, thousands of them were
> > > > > received.
> > > > > * The attack was based on varying the fields: spotted, comment, spotter,
> > > > > spotter ip and source node.
> > > > > * It appears that the spots were not sent from the source nodes listed in
> > > > > the spots. I have verified that the ones where my node appears as the source
> > > > > node, did not come from my node, so I think that this must have happened to
> > > > > most of them.
> > > > >
> > > > > My own conclusions
> > > > > * Dirk's algorithm was successful for nodes that used $DXProt::senderverify
> > > > > to remove dupes.
> > > > > * If the attack had been without 'dupes', it could not have been stopped.
> > > > > * The flood of spots that inundated the network clearly affected nodes with
> > > > > fewer resources, with a less efficient OS or with a sw other than spider.
> > > > >
> > > > > Kin EA3CV
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Dxspider-support mailing list
> > > > > Dxspider-support at tobit.co.uk
> > > > > https://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
> _______________________________________________
> Dxspider-support mailing list
> Dxspider-support at tobit.co.uk
> https://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.tobit.co.uk/pipermail/dxspider-support/attachments/20250217/69a214a0/attachment.htm>

More information about the Dxspider-support mailing list