[Operators] XMPP DDoS on yax.im today

Georg Lukas georg at op-co.de
Mon Aug 29 16:31:41 UTC 2016


Hey folks,

just wanted to let you know that today there was an almost 6h long
XMPP-level DDoS against a single user account on yax.im. The JID was
targeted by a flood of messages with random body content from thousands
of users on over a hundred different servers.

The source of the traffic (I've counted 791K individual messages between
7AM and 9:20AM CEST before shutting down logging for that JID) were
19249 distinct user accounts on 131 different servers/domains.

I've attached the list of domains (with the number of distinct spammer
accounts per domain). Operators can contact me via XMPP at georg at yax.im
to get their respective account names listed. The spammer JIDs had one
of the following schemas:

 * <number>@domain (~4K)
 * <firstname><delimiter><lastname><number>@domain (probably the rest)

The delimiter is one of "", "-", "_" or ".", the names look like from a
typical dictionary file. The numbers have five digits or more.

I've seen similar accounts registered on yax.im in the past, and used
for DDoS against other accounts. The registrations were performed via
open proxies, with a very good detection rate in
proxies.dnsbl.sorbs.net.

The content of the messages was random character strings with a length
uniformly distributed between 5 and 128 characters. There were some
longer outliers that contained the substring jsmart.web.id (maybe a
templating bug in the flood script, indicating the C&C server?).

The destination JID was an account that has been deleted several months
ago due to spam activity, so whoever wanted to take revenge: sorry, bad
luck. You should better just ask me next time.

To the server operators:

 * please perform RBL checks on your IBR, and check for spikes in
   account registrations.
 * Also please throttle outgoing traffic from individual users to reduce
   the load on the other XMPP servers.
 * If you encounter masses of accounts with the above JID scheme, tarpit
   them!


Kind regards

Georg
-- 
|| http://op-co.de ++  GCS d--(++) s: a C+++ UL+++ !P L+++ !E W+++ N  ++
|| gpg: 0x962FD2DE ||  o? K- w---() O M V? PS+ PE-- Y++ PGP+ t+ 5 R+  ||
|| Ge0rG: euIRCnet ||  X(+++) tv+ b+(++) DI+++ D- G e++++ h- r++ y?   ||
++ IRCnet OFTC OPN ||_________________________________________________||
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: Digital signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20160829/d9868904/attachment.sig>


More information about the Operators mailing list