I sent out a notification to all online users yesterday informing of an emergency Prosody restart due to an attack. Don’t worry though, it doesn’t affect the security of the server itself! It seems the goal was to exhaust resources (CPU/Memory/Storage). I’ve implemented some counter-measures to prevent this from causing the server’s load to spike as high as it did. As of yesterday mod_limits has been enabled. This should prevent any single connection whether C2S or S2S from hogging up system resources. I’ve also witnessed attacks that spam offline users with messages going up to 20GB in some cases. XMPP.is stores offline messages and there was no limit set before I noticed. I’ve setup a cron job to find and delete offline messages (every minute) above a certain file size to prevent some malicious spammer from filling up the entire disk.
This attack didn’t really do all that much though… It brought down the registration page a few times but everything else stayed up.
Full attack traffic (48 hours):
CPU usage (48 hours):
XEP-0352 has been implemented as of now via the following Prosody modules.
These will help save battery and data for mobile users. For further details please see the module’s description.
Support has been added to XMPP.is for the following XEPs.
Other Changes During Maintenance:
- Added anti-bruteforce module (mod_limit_auth)
- Prevented MUC room info from disappearing (I think)
- Upgraded to Debian 8.8
- Updated configs on transparency page
I have more news for you. It’s now possible to register via the XMPP.is website, all you need to do is go to xmpp.is/register (and fill out the details) which is also listed on the top menu bar. I’ve decided to implement this because there has been waves of XMPP spam going around and they seem to be bots that register with XMPP servers that don’t have a captcha. It also seems easier and appeals to most people to register through the web instead of a client.
What does this mean? Well, although I’m adding a nice feature I’m going to be taking one away… The usual in-band registration via the various XMPP clients is going to be disabled in the next few days because there is no viable solution to stop spammers from registering through it. So let all your friends know! I’ve also seen some strange behavior where thousands upon thousands of accounts were registered with different but similar names (possibly trying to take up all the cool usernames). I’d like for this kind of thing to stop, so this is the solution I came up with.
Users of our .onion XMPP server don’t need to worry, you’ll still register through your client.
Stay tuned for updates on our Twitter. Happy chatting!
I should have enabled and loaded this module a while ago but as of February 1st it’s now active. It allows you to block specific users so you don’t continue to receive messages from them. On most clients (like Pidgin) you can just right click the user in question and click “Block”. With the wave of XMPP spam going around I felt it was absolutely necessary to have. Read more on it here.
I’d also like to mention that I’m continuously looking into ways to make XMPP.is more user friendly through Prosody modules. I haven’t had a lot of time recently but I’m working on it! If you have any suggestions feel free to contact me.