[Operators] DDoS attack
stpeter at stpeter.im
Tue Feb 21 20:45:55 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
On 2/20/12 10:19 AM, Jonas Ådahl wrote:
> On Mon, Feb 20, 2012 at 5:51 PM, Mathias Ertl <mati at fsinf.at>
>> On 2012-02-20 17:41, Jonas Ådahl wrote:
>>> Today my server was bombarded with thousands of subscription
>>> requests from various different XMPP domains resulting in it
>>> crashing. Also with these requests came identical messages.
>>> All of the accounts looks like [random characters]@domain.com
>>> such as 4yal71k4x2h2gzzsjiex at jabber.im. Seems like all of the
>>> requests were directed at one user.
>> Is it possible to draw up a list of accounts that took part in
>> the attack and send those accounts to the corresponding
>> server-admins, at least if they are known?
> Sadly no. I removed some files in order to get my gajim up and
> running, and did not make any backups. Anyhow, for what I could
> tell all of the accounts were 20 character long and consisted only
> of random a-z and 0-9 characters. I put a very small portion of
> the accounts here: http://pastebin.com/b0NrDAEL that I recovered
> from my gajim message log. The list should be more like 6-7000 long
> instead of 54 however, but that's all I could find now.
Sorry to hear about this attack. This is yet more incentive for me to
finish working on the Incident Reporting spec:
I would bet that all of the domains involved allow in-band
registration (IBR), probably without CAPTCHAs. IMHO we need to think
about controlling IBR more carefully.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Operators