[Operators] DDoS attack

Peter Saint-Andre stpeter at stpeter.im
Tue Feb 21 20:45:55 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2/20/12 10:19 AM, Jonas Ådahl wrote:
> On Mon, Feb 20, 2012 at 5:51 PM, Mathias Ertl <mati at fsinf.at>
> wrote:
>> Jonas,
>> 
>> On 2012-02-20 17:41, Jonas Ådahl wrote:
>>> Today my server was bombarded with thousands of subscription
>>> requests from various different XMPP domains[0] resulting in it
>>> crashing. Also with these requests came identical messages[1].
>>> All of the accounts looks like [random characters]@domain.com
>>> such as 4yal71k4x2h2gzzsjiex at jabber.im. Seems like all of the
>>> requests were directed at one user.
>> 
>> Is it possible to draw up a list of accounts that took part in
>> the attack and send those accounts to the corresponding
>> server-admins, at least if they are known?
>> 
> 
> Sadly no. I removed some files in order to get my gajim up and 
> running, and did not make any backups. Anyhow, for what I could
> tell all of the accounts were 20 character long and consisted only
> of random a-z and 0-9 characters. I put a very small portion of
> the accounts here: http://pastebin.com/b0NrDAEL that I recovered
> from my gajim message log. The list should be more like 6-7000 long
> instead of 54 however, but that's all I could find now.

Sorry to hear about this attack. This is yet more incentive for me to
finish working on the Incident Reporting spec:

http://xmpp.org/extensions/xep-0268.html

I would bet that all of the domains involved allow in-band
registration (IBR), probably without CAPTCHAs. IMHO we need to think
about controlling IBR more carefully.

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9EAoEACgkQNL8k5A2w/vxOTwCg7KyuBsIU0Xn6gMN491EIIqfp
EZ8An32KDdpOIVgk8A3xMGm6j6Fini/3
=69ow
-----END PGP SIGNATURE-----


More information about the Operators mailing list