[Operators] DDoS attack

Jonas Ådahl jadahl at gmail.com
Mon Feb 20 16:41:26 UTC 2012


Today my server was bombarded with thousands of subscription requests
from various different XMPP domains[0] resulting in it crashing. Also
with these requests came identical messages[1]. All of the accounts
looks like [random characters]@domain.com such as
4yal71k4x2h2gzzsjiex at jabber.im. Seems like all of the requests were
directed at one user.

To prevent future attacks of this kind I have enabled functionality
preventing flooding of subscription packets (mod_pres_counter in
ejabberd) and urge others who haven't to do the same.


[0] some including (randomly selected from requests I have received),
jabber80.com, xmpp.jp, jabber.sibnet.ru, kofeina.net, ipse.zapto.org,
jabin.org, jabber.no, jabber.earth.li, aqq.eu, internet-exception.de,
zae-biz.com, jabber.perm.ru, debianforum.de, jabber.bergdyansk.info,
jabber.mediaring.ru, jabber.icp.pl, ezvan.fr, lugmen.org.ar,
jabber.papla.pl, zsh.su, jtalk.ru, oneteam.im ...
[1] "日一国会人年大十二本中長出三同時政事自行社見月分議後前民生連五発間対上部東者党地合市業内相方四定今回新場金員九入選立>開手米力学問高代明実円関決子動京全目表戦経通外最言氏現理調体化田当八"

More information about the Operators mailing list