[Operators] XMPP DDoS on yax.im today

Georg Lukas georg at op-co.de
Sat Sep 3 16:36:13 UTC 2016


Hi, I know this is getting boring...

yax.im has been DDoSed every day since the first report, with 6h-12h of
traffic every day. The traffic patterns and JID structures are all the
same, but I have some more insights to contribute.

Some of the zombies were registered on my server as well, with their IBR
timestamp on 2016-06-27.

The registrations and the logins originated from the IP 31.184.194.36
which looks like an outdated Debian box at a Russian hosting company.
I've sent an abuse report but my hopes aren't high.

Please block 31.184.194.36 in your firewalls and delete accounts
registered via that IP, to get rid of this one kiddie. Again, the list
of domains is attached to this email and you can request the list of
JIDs for your domain.

Regarding possible mitigations, this is what I do on yax.im now from a
cron job:

prosodyctl mod_list_inactive yax.im 1day event | \
        grep ' registered' | \
	awk '{ print "user:delete\"" $1 "\"" }' | \
	nc localhost 5582

This requires the mod_lastlog module to be enabled for users' last
activity timestamps, it dumps the list of JIDs that were registered more
than 24h ago and never logged in, and pipes their deletion to
mod_admin_telnet.


Have a nice weekend,


Georg
-- 
|| http://op-co.de ++  GCS d--(++) s: a C+++ UL+++ !P L+++ !E W+++ N  ++
|| gpg: 0x962FD2DE ||  o? K- w---() O M V? PS+ PE-- Y++ PGP+ t+ 5 R+  ||
|| Ge0rG: euIRCnet ||  X(+++) tv+ b+(++) DI+++ D- G e++++ h- r++ y?   ||
++ IRCnet OFTC OPN ||_________________________________________________||
-------------- next part --------------
    272 0l.de
    740 4impact.net.au
      6 alltagskotze.net
    736 anderson.de
      1 armada.im
    143 aws-pns-qa-01.primo.me
    507 bam.yt
    682 bashtel.ru
    754 basket.coach
      3 chaospott.de
    373 chatme.biz
     85 chatme.chat
    379 chatme.community
    406 chatme.education
     77 chatme.im
    390 chatme.link
     40 chatme.lol
    605 chatme.sexy
    188 chatme.singles
    276 chatme.social
     54 chatme.top
     55 chatme.wiki
    522 chatme.xyz
      3 chat.mypush.com.br
     35 cirr.com
      2 coding4coffee.ch
   1780 codingteam.net
     18 connyolivier.nl
     47 copyleftgames.org
    173 crypt.am
    197 crypt.mn
    169 cypherpunks.it
      1 daitauha.fr
     10 darkdna.net
      1 darknet.im
   2602 dcgate.org.ua
    146 default.rs
      1 devolute.org
    349 dotchat.me
   1829 dukgo.com
      1 dzen.im
    241 einfachjabber.de
     47 entodaspartes.org
     47 enviro.cz
     47 erleuchtet.org
      5 exploit.im
      1 farline.ua
      1 fasel.me
     16 forwork.chat
    455 freexmpp.net
    214 f-sh.de
    626 fuckav.in
      1 furry.im
    306 getchat.link
    584 getchatme.link
     19 ghostdub.de
   2512 gorod.nu
      1 graasmilk.net
     24 guardianproject.info
     24 hackinq.pl
      1 haste.ch
   1825 igniterealtime.org
   5200 im.flosoft.biz
     16 im.meticul.eu
     24 im.pboesch.fr
     24 im.primo.me
      1 infornographie.net
      1 injabber.info
      1 instalock.pl
     24 itns.co.za
     24 j3e.de
      1 j3ws.biz
      1 jabber.bol.ru
     23 jabber.c3d2.de
     32 jabber.com.de
   3023 jabber.co.za
      1 jabber.cz
     25 jabber.dark-world.de
    802 jabber.dol.ru
      1 jabber.fdn.fr
    116 jabber.icequake.net
     48 jabber.ipfire.org
      1 jabber.ivanovo.ru
     23 jabber.lancs.ac.uk
    833 jabber.lg.ua
     10 jabber.linux360.ro
     23 jabber.logilab.org
    686 jabber.me
    456 jabber.mipt.ru
    312 jabber.mk.ua
     23 jabber.nerdbase.de
      1 jabber.netzgehirn.de
      3 jabberon.ru
    716 jabber.ozerki.net
    337 jabber.perm.ru
    761 jabberpl.org
    255 jabber.smash-net.org
     81 jabber.tanet.ru
    222 jabber.tsk.ru
      2 jabbim.com
      3 jabbim.cz
      1 jabbim.pl
      1 jabbim.sk
      3 j-talk.me
   3332 kdetalk.net
    523 oneteam.im
     23 palita.net
   6518 pandion.im
    349 parliamone.club
    148 p-h.im
     88 probiv.cc
    200 probiv.me
    349 prv.name
      1 rosolina.estate
    155 rows.io
    199 rusanen.me
    357 sj.ms
    337 slang.cool
      2 sudouser.ru
      2 syslinux.ru
    292 talk.mipt.ru
    846 tigase.im
     61 topsec.in
      4 ustkut.ru
    159 volity.net
     29 vsjmaxx.co
     84 weather.im
     75 westchat.de
      2 wirdorange.org
    117 wizardtales.com
      3 wwh.so
    117 www.hda.me
      3 www.lunaiten.de
      7 xjabber.pro
    230 xmpp.cm
      2 xmppcomm.com
      2 xmpp.elbinario.net
    430 xmpp.guru
   1492 xmpp.is
    272 xmpp.jp
    178 xmpp.pro
    783 xmpp.su
    482 xmpp.technology
    189 xsrv.me
      9 yax.im
      1 zloy.im
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: Digital signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20160903/34107c91/attachment.sig>


More information about the Operators mailing list