Hey folks, just wanted to let you know that today there was an almost 6h long XMPP-level DDoS against a single user account on yax.im. The JID was targeted by a flood of messages with random body content from thousands of users on over a hundred different servers.
The source of the traffic (I've counted 791K individual messages between 7AM and 9:20AM CEST before shutting down logging for that JID) were 19249 distinct user accounts on 131 different servers/domains. I've attached the list of domains (with the number of distinct spammer accounts per domain). Operators can contact me via XMPP at [email protected] to get their respective account names listed. The spammer JIDs had one of the following schemas: * <number>@domain (~4K) * <firstname><delimiter><lastname><number>@domain (probably the rest) The delimiter is one of "", "-", "_" or ".", the names look like from a typical dictionary file. The numbers have five digits or more. I've seen similar accounts registered on yax.im in the past, and used for DDoS against other accounts. The registrations were performed via open proxies, with a very good detection rate in proxies.dnsbl.sorbs.net. The content of the messages was random character strings with a length uniformly distributed between 5 and 128 characters. There were some longer outliers that contained the substring jsmart.web.id (maybe a templating bug in the flood script, indicating the C&C server?). The destination JID was an account that has been deleted several months ago due to spam activity, so whoever wanted to take revenge: sorry, bad luck. You should better just ask me next time. To the server operators: * please perform RBL checks on your IBR, and check for spikes in account registrations. * Also please throttle outgoing traffic from individual users to reduce the load on the other XMPP servers. * If you encounter masses of accounts with the above JID scheme, tarpit them! Kind regards Georg -- || http://op-co.de ++ GCS d--(++) s: a C+++ UL+++ !P L+++ !E W+++ N ++ || gpg: 0x962FD2DE || o? K- w---() O M V? PS+ PE-- Y++ PGP+ t+ 5 R+ || || Ge0rG: euIRCnet || X(+++) tv+ b+(++) DI+++ D- G e++++ h- r++ y? || ++ IRCnet OFTC OPN ||_________________________________________________||
signature.asc
Description: Digital signature
