[Operators] DDoS attack

Peter Saint-Andre stpeter at stpeter.im
Tue Feb 21 20:45:55 UTC 2012

Hash: SHA1

On 2/20/12 10:19 AM, Jonas Ådahl wrote:
> On Mon, Feb 20, 2012 at 5:51 PM, Mathias Ertl <mati at fsinf.at>
> wrote:
>> Jonas,
>> On 2012-02-20 17:41, Jonas Ådahl wrote:
>>> Today my server was bombarded with thousands of subscription
>>> requests from various different XMPP domains[0] resulting in it
>>> crashing. Also with these requests came identical messages[1].
>>> All of the accounts looks like [random characters]@domain.com
>>> such as 4yal71k4x2h2gzzsjiex at jabber.im. Seems like all of the
>>> requests were directed at one user.
>> Is it possible to draw up a list of accounts that took part in
>> the attack and send those accounts to the corresponding
>> server-admins, at least if they are known?
> Sadly no. I removed some files in order to get my gajim up and 
> running, and did not make any backups. Anyhow, for what I could
> tell all of the accounts were 20 character long and consisted only
> of random a-z and 0-9 characters. I put a very small portion of
> the accounts here: http://pastebin.com/b0NrDAEL that I recovered
> from my gajim message log. The list should be more like 6-7000 long
> instead of 54 however, but that's all I could find now.

Sorry to hear about this attack. This is yet more incentive for me to
finish working on the Incident Reporting spec:


I would bet that all of the domains involved allow in-band
registration (IBR), probably without CAPTCHAs. IMHO we need to think
about controlling IBR more carefully.


- -- 
Peter Saint-Andre

Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Operators mailing list