[Dxspider-support] Here we are again (huge flooding)

Keith, G6NHU g6nhu at me.com
Mon Feb 17 11:41:54 GMT 2025 

Rudy, look at this:  http://i.imgur.com/b9Xkx3h.png (I have to link to it because it’s too large to send through the list).

Of course they’re bad spots.  They were submitted at exactly the same time via variations of the same callsign, via variations of the IP address and allegedly from nodes that the submitter wasn’t connected to.

At a glance you might think they look legitimate but look closely and there are many reasons why they’re fake.  It’s the same with the list of HH3DX spots I posted yesterday.

73 Keith G6NHU

On 17 Feb 2025 at 11:33 +0000, Rudy Bakalov via Dxspider-support <dxspider-support at tobit.co.uk>, wrote:
> Excuse my ignorance. I operated during the contest and didn’t experience bad spots more than usual. Granted, my consumption of spots is 100% via the N1MM bandmap and AMQ windows; no staring at a Telnet window.
>
> I don’t believe even for a moment that CR3DX is a fake spot. They are well equipped, very loud, and don’t need spotting, real or fake.
>
> My question is if spots generated by loggers show spotter IP of the logger computer instead of the node they connect to. If this is the case, you will see a 10X explosion of such spots in just a couple of weeks during ARRL SSB.
>
> If you need data points to analyze, spots from VE3EID were 100 legitimate, automatically generated by N1MM while making S&P QSOs. The logger IP address would be a Starlink address and originating node VE3EID-1
>
> Rudy N2WQ
>
> Sent using a tiny keyboard. Please excuse brevity, typos, or inappropriate autocorrect.
>
>
> > On Feb 17, 2025, at 2:44 AM, Kin via Dxspider-support <dxspider-support at tobit.co.uk> wrote:
> >
> > Hi,
> >
> > From the last attack I have seen the following:
> > * Link crashes with partners. With greater impact on those with less hw
> > resources.
> > * Delays of up to 5 minutes in sending spots to users in some of the larger
> > nodes.
> > * More affected on Windows than on Linux.
> > * On my node with 'set/var $DXProt::senderverify 2' the behaviour was as
> > expected, no forged spots were fake.
> > grep -i "bad spot" 047.dat | wc -l
> > 287005 <-- EA4URE-2
> > 381899 <-- EA3CV-2
> >
> > 1739707974^(*) PCPROT: Bad Spot CR3DX on 14089.6 by
> > N3LPT-3(70.139.124.201)@SM4ONW-14 User N3LPT-3 not on node SM4ONW-14, DUMPED
> > 1739707974^(*) PCPROT: Bad Spot CR3DX on 7025.0 by
> > N0LPT-3(70.139.201.124)@SP6MI-2 User N0LPT-3 not on node SP6MI-2, DUMPED
> > 1739707974^(*) PCPROT: Bad Spot CR3DX on 28431.4 by
> > N3LPT-3(70.139.124.201)@PA0ESH-3 User N3LPT-3 not on node PA0ESH-3, DUMPED
> > 1739707974^(*) PCPROT: Bad Spot CR3DX on 21132.3 by
> > N5LPT-3(70.124.139.201)@GB7NHR User N5LPT-3 not on node GB7NHR, DUMPED
> > 1739707974^(*) PCPROT: Bad Spot CR3DX on 28438.0 by
> > N0LPT-3(70.201.139.124)@PI1LAP-1 User N0LPT-3 not on node PI1LAP-1, DUMPED
> >
> > On my other node without enabling this feature, thousands of them were
> > received.
> > * The attack was based on varying the fields: spotted, comment, spotter,
> > spotter ip and source node.
> > * It appears that the spots were not sent from the source nodes listed in
> > the spots. I have verified that the ones where my node appears as the source
> > node, did not come from my node, so I think that this must have happened to
> > most of them.
> >
> > My own conclusions
> > * Dirk's algorithm was successful for nodes that used $DXProt::senderverify
> > to remove dupes.
> > * If the attack had been without 'dupes', it could not have been stopped.
> > * The flood of spots that inundated the network clearly affected nodes with
> > fewer resources, with a less efficient OS or with a sw other than spider.
> >
> > Kin EA3CV
> >
> >
> >
> >
> > _______________________________________________
> > Dxspider-support mailing list
> > Dxspider-support at tobit.co.uk
> > https://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
>
>
> _______________________________________________
> Dxspider-support mailing list
> Dxspider-support at tobit.co.uk
> https://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.tobit.co.uk/pipermail/dxspider-support/attachments/20250217/beb3263a/attachment-0001.htm>

More information about the Dxspider-support mailing list