Proper way to decommission homeserver from federation to stop inbound traffic

[matrixbot]

This issue has been migrated from #3765.

---

It would be useful to have an actual way to decommission servers. In theory, servers can leave all rooms and be done with it, but that is non-trivial and in practice servers will get federation requests for basically forever.

A possible measure would be a specific value in the SRV record, or a HTTP response that tells other servers that this server no longer participates in the federation and shouldn't be pinged again.

(kind of related to #3286, but for federation traffic instead of client traffic)

[adrianrudnik]

I've decommissioned a test server some months/years ago.

Until today, I collect around 1.2k requests from about 160 unique IP addresses of possible servers that ask my apex domain on /.well-known/matrix/server whats up daily.

Would be great to tell them to stop properly. Not sure what else I could do then tell them 404 or block them in the WAF.

[adrianrudnik]

About a mil requests later, here is a crowdsec scenario to ban all hosts automatically:

type: trigger
name: whatever/matrix-wellknown-probing
description: "Detect matrix .well-known probing"
filter: |
  evt.Meta.log_type in ['http_access-log', 'http_error-log'] and
  evt.Meta.http_status == '404' and
  Upper(evt.Meta.http_path) contains Upper('/.well-known/matrix/server')
groupby: evt.Meta.source_ip
blackhole: 5m
labels:
  service: http
  remediation: true
  confidence: 3
  spoofable: 0
  classification:
    - attack.T1498
  behavior: "http:dos"
  label: "HTTP DOS by matrix servers inquiring about decommissioned server"

Place into /etc/crowdsec/scenarios and reload the service.