[Operators] DDoS attacks against jabber.org
jsf at edwinm.ik.nu
Thu Feb 6 22:32:33 UTC 2014
On 06/02/14 22:21, Mathias Ertl wrote:
> On 02/06/2014 07:11 PM, Peter Saint-Andre wrote:
>> The jabber.org IM service has experienced an ongoing DDoS attack over
>> the last several days.
> We have also seen such attacks (on a limited and very short timescale).
> I hope you manage to get rid of those attacks - best of luck! Do the
> accounts (i.e. their nick) look similar in some way?
All accounts used in the attacks follow the same pattern.
>> The attack occurs over XMPP (not TCP) and has
>> originated from JabberIDs registered with a broad cross-section of
>> servers on the public XMPP network. As far as we have been able to
>> determine, most of these servers offer In-Band Registration (XEP-0077)
>> with few if any restrictions (such as CAPTCHAs, although we know those
>> are easily thwarted anyway).
>> The jabber.org admins have taken a number of steps to limit the impact
>> of these DDoS attacks. Unfortunately, among those steps, we have been
>> forced to disable server-to-server communication from the servers that
>> host the accounts that are attacking jabber.org. We really don't like it
>> that legitimate users of these servers are thereby prevented from
>> communicating with users at jabber.org, but at this point we have no
>> The list of servers we are currently blocking can be found at the end of
>> this message. We will update this list as needed, because we are
>> continuing to discover more servers with DDoS accounts on them.
>> If you run one of these servers, please let us know when you've added
>> additional protection against registration abuse, along with details
>> about what you've done, so that we can re-enable federation with your
> Is registration abuse really an issue here? I mean: Are hundreds of
> accounts from the same server participating in the attack? Or just one
> account per server?
Many accounts per domain, as far as I have seen.
More information about the Operators