[Operators] in-band registration (was: Re: Potential distributed attack)

Peter Saint-Andre stpeter at stpeter.im
Tue Apr 10 21:13:55 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 4/10/12 3:08 PM, Daniel Fischaleck wrote:
> Am Dienstag, 10. April 2012, 23:03:54 schrieb Claudiu Curcă:
>> Hello,
>> 
>> 
>> 
>> Tonight I've noticed an increase in server traffic and once I
>> checked stuff aut I saw that some few thousand users were created
>> from a russian IP address (178.47.4.86). The users were
>> automatically created with the username XXyyyyyyZZ, where (XX and
>> ZZ are numerica land yyyyy are random words). According to logs,
>> all these users flooded the user dyavol at qip.ru, probably as some
>> sort of childish revenge or something similar.
>> 
>> 
>> 
>> Lately, I've been firewalling entire classes of IPs from the
>> Russian Federation because of these automated registrations,
>> although only now logs have shown actual flooding.
>> 
>> 
>> 
>> With all respect to free and boundless communication, I am taking
>> the caution of blocking each and every IP block from the Russian
>> Federation, since I do not want (nor have to, for that matter)
>> stay and guard the server from automated registrations (as a fun
>> fact, out of all the former automated registrations detected, 105
>> of them, 104 were from Russia).
>> 
>> 
>> 
>> I know it's harsh, but I encourage the rest of the admins to be
>> vigilant and take hard countermeasures against such abuse.
>> 
>> 
>> 
>> Best Regards,
>> 
>> 
>> 
>> Claudiu Curcă - coderollers.com
> 
> Hi,
> 
> the same thing happened to my server orcalab.net. Public
> registration is now disabled till I get that IP sorted and I am
> restoring a backup of the old user database right now. I got over
> 1000 registrations within a few minutes. Same scheme as yours.

Has in-band registration outlived its usefulness? It was originally
designed as a user-friendly way to jumpstart use of Jabber
technologies back in 1999. Perhaps it's not so appropriate today?

(FWIW, at jabber.org we disabled IBR a few years ago and that hasn't
stopped lots of people from registering new accounts!)

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+EopMACgkQNL8k5A2w/vyYlQCg1QwNmkT5TwU4nzB84WVYO2FB
xHMAnj2Gg7vszb+4SzgkCxgagsSWrW9N
=9AI/
-----END PGP SIGNATURE-----


More information about the Operators mailing list