[Operators] in-band registration (was: Re: Potential distributed attack)

Kevin Smith kevin at kismith.co.uk
Tue Apr 10 21:22:25 UTC 2012


On Tue, Apr 10, 2012 at 10:13 PM, Peter Saint-Andre <stpeter at stpeter.im> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 4/10/12 3:08 PM, Daniel Fischaleck wrote:
>> Am Dienstag, 10. April 2012, 23:03:54 schrieb Claudiu Curcă:
>>> Hello,
>>>
>>>
>>>
>>> Tonight I've noticed an increase in server traffic and once I
>>> checked stuff aut I saw that some few thousand users were created
>>> from a russian IP address (178.47.4.86). The users were
>>> automatically created with the username XXyyyyyyZZ, where (XX and
>>> ZZ are numerica land yyyyy are random words). According to logs,
>>> all these users flooded the user dyavol at qip.ru, probably as some
>>> sort of childish revenge or something similar.
>>>
>>>
>>>
>>> Lately, I've been firewalling entire classes of IPs from the
>>> Russian Federation because of these automated registrations,
>>> although only now logs have shown actual flooding.
>>>
>>>
>>>
>>> With all respect to free and boundless communication, I am taking
>>> the caution of blocking each and every IP block from the Russian
>>> Federation, since I do not want (nor have to, for that matter)
>>> stay and guard the server from automated registrations (as a fun
>>> fact, out of all the former automated registrations detected, 105
>>> of them, 104 were from Russia).
>>>
>>>
>>>
>>> I know it's harsh, but I encourage the rest of the admins to be
>>> vigilant and take hard countermeasures against such abuse.
>>>
>>>
>>>
>>> Best Regards,
>>>
>>>
>>>
>>> Claudiu Curcă - coderollers.com
>>
>> Hi,
>>
>> the same thing happened to my server orcalab.net. Public
>> registration is now disabled till I get that IP sorted and I am
>> restoring a backup of the old user database right now. I got over
>> 1000 registrations within a few minutes. Same scheme as yours.
>
> Has in-band registration outlived its usefulness? It was originally
> designed as a user-friendly way to jumpstart use of Jabber
> technologies back in 1999. Perhaps it's not so appropriate today?

FWIW, my view is that servers with unprotected IBR are conceptually
very similar to open proxies and we need to move away from it.

/K


More information about the Operators mailing list