[Operators] DDoS attack

Mathias Ertl mati at fsinf.at
Mon Feb 20 16:51:14 UTC 2012


Jonas,

On 2012-02-20 17:41, Jonas Ådahl wrote:
> Today my server was bombarded with thousands of subscription requests
> from various different XMPP domains[0] resulting in it crashing. Also
> with these requests came identical messages[1]. All of the accounts
> looks like [random characters]@domain.com such as
> 4yal71k4x2h2gzzsjiex at jabber.im. Seems like all of the requests were
> directed at one user.

Is it possible to draw up a list of accounts that took part in the
attack and send those accounts to the corresponding server-admins, at
least if they are known?

Does anyone know what this subscription message means?

> To prevent future attacks of this kind I have enabled functionality
> preventing flooding of subscription packets (mod_pres_counter in
> ejabberd) and urge others who haven't to do the same.

Thats an ejabberd-plugin included in one of the most recent ejabberd
versions.

All in all capabilities for fighting abusive automated messages are
unfortunately very poor in all servers. I really think devs should
improve that situation.

greetings, Mati

-- 
twitter: @mathiasertl | soup: http://soup.er.tl | xing: Mathias Ertl
I only read plain-text mail!  I prefer signed/encrypted mail!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4572 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20120220/cabd5f19/attachment.bin>


More information about the Operators mailing list