The oddest thing happened today... Analysis of an APRS replay "attack"

Sun 27 March 2016

The other day a fellow amateur radio operator, WJ3K, caught me on the Annapolis repeater and asked me whether I was seeing odd things happening on the APRS network.  Specifically, whether or not I was seeing station tracks getting bounced around as if an old packet had been injected into the network out of sync with the rest.  As soon as he said it I knew exactly what he was talking about.  Not only had I seen such things in recent days but I remember the Mic-E packet expansion "attack" from over a decade ago (sorry, can't find the discussion that was held on the `APRSSIG mailing list <http://www.tapr.org/mailman/listinfo/aprssig>`__).

Anyway, I had some time to look at some recent packets and realized that something very odd was happening.  I was seeing packets from my HT (WG3K-7) coming through a digipeater across the Bay when the HT was safely off and sitting next to me.  I turned up the volume on the transceiver hosting APRS and was very surprised to hear two things: 1) packets being received but not being passed to my client and 2) packets received at my client that I hadn't heard come across the radio!  It would seem that the problem plaguing the local network was my problem!  For some reason, my TNC was caching the packets and then, after several minutes was releasing them to my client who had no choice but to accept them with the thought they were real-time and send them to the APRS-IS.

The culprit seems to be a SCS PTC-IIusb modem in KISS mode.  Still investigating why it's happening and I'll update this article when I can.

By Sparks, Category: Radio

Tags: 2m / Digital Operations / APRS /