Wordpress "Pingback" DDoS Attacks
Sucuri detected an interesting "reflective" attack using the Wordpress Pingback feature to attack web sites [1]. Unlike other reflective attacks that use UDP services like NTP and DNS, this attacks uses the Wordpress Pingback feature.
The intend of Pingback is to notify a site that you link to about the link hoping that the site you are linking to will return the favor. Some systems automate this and maintain automated lists linking back to sites that covered their article. In order to implement pingback, Wordpress implements an XML-RPC API function. This function will then send a request to the site to which you would like to send a "pingback".
With Wordpress, the Pingback is sent as a POST request to the /xmlrpc.php request. The body of the request will look like:
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param><value><string>http://victim</string></value></param>
<param><value><string>http://reflector</string></value></param>
</params>
</methodCall>
For the attack seen by Sucuri, the "victim" URL included a random parameter like "victim.com?123456=123456" to prevent caching.
The result of this request is that your Wordpress install will send a request to the victim's site. I don't think the attack will provide a significant traffic amplification, but it does obfuscate the actual source of the attack.
By default, this feature is enabled in all Wordpress installs, and isn't quite easy to turn off. Sucuri recommends to add the following API filter to Wordpress:
add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;
} );
Removing xmlrpc.php is not recommended as it will breack a number of other features that will use the API.
[1] http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
All of our legitimate requests for WP are relative links with the ".php" chopped off. By blocking *.php at WAF we are actually blocking 99.7% of all automated scanners and botnet traffic looking for WP sites.
Of course, this should not be your only line of defense, but it is a good quick fix while your ops team tests and deploys above mentioned fix.
Anonymous
Mar 12th 2014
1 decade ago
http://wordpress.org/plugins/disable-xml-rpc-pingback/
Description:
"Stops abuse of your site's Pingback method from XML-RPC by simply removing it. While you can use the rest of XML-RPC methods."
Anonymous
Mar 12th 2014
1 decade ago
http://en.forums.wordpress.com/topic/how-to-disable-pingback
Anonymous
Mar 12th 2014
1 decade ago
But DDoS can be at a higher level. You can starve the target for CPU resource, or number of connections. Apache will normally handle only a few thousand connections. A loadbalancer/WAF will prevent some higher level attacks, but these are real requests.
Anonymous
Mar 13th 2014
1 decade ago
But DDoS can be at a higher level. You can starve the target for CPU resource, or number of connections. Apache will normally handle only a few thousand connections. A loadbalancer/WAF will prevent some higher level attacks, but these are real requests.
Anonymous
Mar 13th 2014
1 decade ago
Most commonly pingbacks and trackbacks are used in WordPress to send requests to a target website. DDoS attackers make use of this vulnerability launch a Application Layer DDoS attack.
We all should take steps to hardened our WordPress security so it can not be used to launch a large scale DDoS attack. Learn how to protect and prevent your WordPress website to be used in DDoS attack. http://www.cloudways.com/blog/ddos-attacks-wordpress-security/
Anonymous
May 23rd 2014
1 decade ago