[Operators] DDoS attacks against jabber.org

Mathias Ertl mati at fsinf.at
Thu Feb 6 21:21:12 UTC 2014


On 02/06/2014 07:11 PM, Peter Saint-Andre wrote:
> The jabber.org IM service has experienced an ongoing DDoS attack over
> the last several days.

We have also seen such attacks (on a limited and very short timescale).
I hope you manage to get rid of those attacks - best of luck! Do the
accounts (i.e. their nick) look similar in some way?

> The attack occurs over XMPP (not TCP) and has
> originated from JabberIDs registered with a broad cross-section of
> servers on the public XMPP network. As far as we have been able to
> determine, most of these servers offer In-Band Registration (XEP-0077)
> with few if any restrictions (such as CAPTCHAs, although we know those
> are easily thwarted anyway).
> The jabber.org admins have taken a number of steps to limit the impact
> of these DDoS attacks. Unfortunately, among those steps, we have been
> forced to disable server-to-server communication from the servers that
> host the accounts that are attacking jabber.org. We really don't like it
> that legitimate users of these servers are thereby prevented from
> communicating with users at jabber.org, but at this point we have no
> choice.
> The list of servers we are currently blocking can be found at the end of
> this message. We will update this list as needed, because we are
> continuing to discover more servers with DDoS accounts on them.
> If you run one of these servers, please let us know when you've added
> additional protection against registration abuse, along with details
> about what you've done, so that we can re-enable federation with your
> server.

Is registration abuse really an issue here? I mean: Are hundreds of
accounts from the same server participating in the attack? Or just one
account per server?

BTW: We discussed issues like this before. What has happened on the
network with regards to this issue since then?

greetings, Mati

> Thanks!
> Peter (for the jabber.org admin team)
> ###
> bal-s.ru
> bks-tv.ru
> debianforum.de
> footter.com
> games.onego.ru
> im.apinc.org
> im.hadrien.eu
> iraqtalk.org
> jabber.com.ua
> jabber.fr
> jabber.mipt.ru
> jabber.murom.net
> jabber.nln.ru
> jabber.no
> jabber.snc.ru
> jabber.stream.uz
> jabber.totel.ru
> jabber.tsk.ru
> jabber.wiretrip.org
> jabber-br.org
> jabbernet.dk
> kofeina.net
> linux.pl
> octro.net
> oneteam.im
> talk.mipt.ru
> talkers.im
> zsh.su
> ###

twitter: @mathiasertl | xing: Mathias Ertl | email: mati at er.tl
I only read plain-text mail!  I prefer signed/encrypted mail!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6044 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20140206/b18ff3c2/attachment.bin>

More information about the Operators mailing list