I’d just like to thank everyone who donated via PayPal & Bitcoin recently. We have finally hit our donation goal of $40 (PayPal) and I received a generous $20 Bitcoin donation last week. I’ll be increasing the goal every time it is hit from now on. This will help us properly keep track of the amount of PayPal donations we receive. I’m planning to use the money to buy new domains for XMPP.is, that people will be able to use primarily for XMPP accounts. If you have any ideas for a domain, let me know! I already own the domain “xmpp.co” but looking to acquire others, even buy them from others if needed.
In other news… I have since disabled the Prosody throttle_presence module because it was very buggy and generating a massive amount of error logs. I’ve also added a few more donations methods including Ethereum, Litecoin and Auroracoin which you can find at xmpp.is/donate.
I sent out a notification to all online users yesterday informing of an emergency Prosody restart due to an attack. Don’t worry though, it doesn’t affect the security of the server itself! It seems the goal was to exhaust resources (CPU/Memory/Storage). I’ve implemented some counter-measures to prevent this from causing the server’s load to spike as high as it did. As of yesterday mod_limits has been enabled. This should prevent any single connection whether C2S or S2S from hogging up system resources. I’ve also witnessed attacks that spam offline users with messages going up to 20GB in some cases. XMPP.is stores offline messages and there was no limit set before I noticed. I’ve setup a cron job to find and delete offline messages (every minute) above a certain file size to prevent some malicious spammer from filling up the entire disk.
This attack didn’t really do all that much though… It brought down the registration page a few times but everything else stayed up.
Full attack traffic (48 hours):
CPU usage (48 hours):
XEP-0352 has been implemented as of now via the following Prosody modules.
These will help save battery and data for mobile users. For further details please see the module’s description.
Support has been added to XMPP.is for the following XEPs.
Other Changes During Maintenance:
- Added anti-bruteforce module (mod_limit_auth)
- Prevented MUC room info from disappearing (I think)
- Upgraded to Debian 8.8
- Updated configs on transparency page
I have more news for you. It’s now possible to register via the XMPP.is website, all you need to do is go to xmpp.is/register (and fill out the details) which is also listed on the top menu bar. I’ve decided to implement this because there has been waves of XMPP spam going around and they seem to be bots that register with XMPP servers that don’t have a captcha. It also seems easier and appeals to most people to register through the web instead of a client.
What does this mean? Well, although I’m adding a nice feature I’m going to be taking one away… The usual in-band registration via the various XMPP clients is going to be disabled in the next few days because there is no viable solution to stop spammers from registering through it. So let all your friends know! I’ve also seen some strange behavior where thousands upon thousands of accounts were registered with different but similar names (possibly trying to take up all the cool usernames). I’d like for this kind of thing to stop, so this is the solution I came up with.
Users of our .onion XMPP server don’t need to worry, you’ll still register through your client.
Stay tuned for updates on our Twitter. Happy chatting!