<div dir="ltr"><div>I cannot believe that 60% of the traffic is really a fake. Maybe it is misclassified because it is not possible to identify if the spotter is really connected to a cluster (if the cluster doesn't send pc92).</div><div><br></div><div>73s</div><div>andrea</div><div><br></div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">--></div></div><br></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Mon, Feb 17, 2025 at 11:35 AM IZ2LSC <<a href="mailto:iz2lsc.andrea@gmail.com">iz2lsc.andrea@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Iain, </div><div>if 60% of the traffic is fake and senderverify=2 </div><div><br></div><div>then pc61 is dumped (discarded)</div><div>as per Dirk mail.</div><div><span style="font-size:large">If set to 1, pass it onward to other nodes. If set to 2 and it's a PC61 then dump it. If set to 3 then just dump it.</span></div><div><div dir="ltr" class="gmail_signature"><br></div><div class="gmail_signature">Can you clarify where I misunderstood ?</div><div class="gmail_signature"><br></div><div dir="ltr" class="gmail_signature">--></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Feb 17, 2025 at 11:12 AM Iain Philipps <<a href="mailto:iain.philipps@77hz.net" target="_blank">iain.philipps@77hz.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div lang="EN-GB"><div><p class="MsoNormal"><span>Andrea,<br><br>You have misunderstood. Legitimate spots are *<b>not</b>* being discarded.<br><br>Because:-> </span><span style="color:blue;background:white">most of the traffic sent today is very likely fake. <-<br><br><u></u><u></u></span></p><p class="MsoNormal"><span style="color:blue;background:white"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:blue;background:white"><br></span><span style="color:black;background:white">73 de WR3D</span><span><br><br><br><u></u><u></u></span></p><p class="MsoNormal"><span><u></u> <u></u></span></p><p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Dxspider-support <<a href="mailto:dxspider-support-bounces@tobit.co.uk" target="_blank">dxspider-support-bounces@tobit.co.uk</a>> <b>On Behalf Of </b>IZ2LSC via Dxspider-support<br><b>Sent:</b> 17 February 2025 10:09<br><b>To:</b> The DXSpider Support list <<a href="mailto:dxspider-support@tobit.co.uk" target="_blank">dxspider-support@tobit.co.uk</a>><br><b>Cc:</b> IZ2LSC <<a href="mailto:iz2lsc.andrea@gmail.com" target="_blank">iz2lsc.andrea@gmail.com</a>><br><b>Subject:</b> Re: [Dxspider-support] Here we are again (huge flooding)<u></u><u></u></span></p><p class="MsoNormal"><u></u> <u></u></p><div><div><p class="MsoNormal">Kin, <u></u><u></u></p></div><div><p class="MsoNormal">how many legitimate spots is senderverify=2 discarding during normal conditions?<u></u><u></u></p></div><div><p class="MsoNormal">I understood this is still work in progress as from Dirk email he got 60% of spots dropped. This is not fine:<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal"><span style="color:blue;background:white">"</span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="color:blue;background:white">The result I got for a morning's traffic (the natural result of a grepdbg on today's log with sendverify set) is:</span><u></u><u></u></p></div><p class="MsoNormal"><span style="color:blue;background:white"><br> 60.22 (%)<br><br>Or to put it another way, most of the traffic sent today is very likely fake.<br><br><span>Houston</span>, we have a problem...</span><u></u><u></u></p><div><p class="MsoNormal"><span style="color:blue;background:white">"</span><u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Andrea<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><div><p class="MsoNormal">--><u></u><u></u></p></div></div><p class="MsoNormal"><u></u> <u></u></p></div><p class="MsoNormal"><u></u> <u></u></p><div><div><p class="MsoNormal">On Mon, Feb 17, 2025 at 8:45 AM Kin via Dxspider-support <<a href="mailto:dxspider-support@tobit.co.uk" target="_blank">dxspider-support@tobit.co.uk</a>> wrote:<u></u><u></u></p></div><blockquote style="border-top:none;border-right:none;border-bottom:none;border-left:1pt solid rgb(204,204,204);padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm"><p class="MsoNormal">Hi,<br><br>From the last attack I have seen the following:<br>* Link crashes with partners. With greater impact on those with less hw<br>resources.<br>* Delays of up to 5 minutes in sending spots to users in some of the larger<br>nodes.<br>* More affected on Windows than on Linux.<br>* On my node with 'set/var $DXProt::senderverify 2' the behaviour was as<br>expected, no forged spots were fake.<br> grep -i "bad spot" 047.dat | wc -l<br> 287005 <-- EA4URE-2<br> 381899 <-- EA3CV-2<br><br> 1739707974^(*) PCPROT: Bad Spot CR3DX on 14089.6 by<br>N3LPT-3(70.139.124.201)@SM4ONW-14 User N3LPT-3 not on node SM4ONW-14, DUMPED<br> 1739707974^(*) PCPROT: Bad Spot CR3DX on 7025.0 by<br>N0LPT-3(70.139.201.124)@SP6MI-2 User N0LPT-3 not on node SP6MI-2, DUMPED<br> 1739707974^(*) PCPROT: Bad Spot CR3DX on 28431.4 by<br>N3LPT-3(70.139.124.201)@PA0ESH-3 User N3LPT-3 not on node PA0ESH-3, DUMPED<br> 1739707974^(*) PCPROT: Bad Spot CR3DX on 21132.3 by<br>N5LPT-3(70.124.139.201)@GB7NHR User N5LPT-3 not on node GB7NHR, DUMPED<br> 1739707974^(*) PCPROT: Bad Spot CR3DX on 28438.0 by<br>N0LPT-3(70.201.139.124)@PI1LAP-1 User N0LPT-3 not on node PI1LAP-1, DUMPED<br><br> On my other node without enabling this feature, thousands of them were<br>received.<br>* The attack was based on varying the fields: spotted, comment, spotter,<br>spotter ip and source node.<br>* It appears that the spots were not sent from the source nodes listed in<br>the spots. I have verified that the ones where my node appears as the source<br>node, did not come from my node, so I think that this must have happened to<br>most of them.<br><br>My own conclusions<br>* Dirk's algorithm was successful for nodes that used $DXProt::senderverify<br>to remove dupes.<br>* If the attack had been without 'dupes', it could not have been stopped.<br>* The flood of spots that inundated the network clearly affected nodes with<br>fewer resources, with a less efficient OS or with a sw other than spider.<br><br>Kin EA3CV<br><br><br><br><br>_______________________________________________<br>Dxspider-support mailing list<br><a href="mailto:Dxspider-support@tobit.co.uk" target="_blank">Dxspider-support@tobit.co.uk</a><br><a href="https://mailman.tobit.co.uk/mailman/listinfo/dxspider-support" target="_blank">https://mailman.tobit.co.uk/mailman/listinfo/dxspider-support</a><u></u><u></u></p></blockquote></div></div></div></div></blockquote></div>
</blockquote></div>