Wordpress "Pingback" DDoS Attacks

Published: 2014-03-12
Last Updated: 2014-03-12 12:21:58 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

Sucuri detected an interesting "reflective" attack using the Wordpress Pingback feature to attack web sites [1]. Unlike other reflective attacks that use UDP services like NTP and DNS, this attacks uses the Wordpress Pingback feature.

The intend of Pingback is to notify a site that you link to about the link hoping that the site you are linking to will return the favor. Some systems automate this and maintain automated lists linking back to sites that covered their article. In order to implement pingback, Wordpress implements an XML-RPC API function. This function will then send a request to the site to which you would like to send a "pingback".

With Wordpress, the Pingback is sent as a POST request to the /xmlrpc.php request. The body of the request will look like:

<methodCall>
  <methodName>pingback.ping</methodName>
  <params>
     <param><value><string>http://victim</string></value></param>
     <param><value><string>http://reflector</string></value></param>
  </params>
</methodCall>

For the attack seen by Sucuri, the "victim" URL included a random parameter like "victim.com?123456=123456" to prevent caching.

The result of this request is that your Wordpress install will send a request to the victim's site. I don't think the attack will provide a significant traffic amplification, but it does obfuscate the actual source of the attack.

By default, this feature is enabled in all Wordpress installs, and isn't quite easy to turn off. Sucuri recommends to add the following API filter to Wordpress:

add_filter( ‘xmlrpc_methods’, function( $methods ) {
   unset( $methods['pingback.ping'] );
   return $methods;
} );

Removing xmlrpc.php is not recommended as it will breack a number of other features that will use the API.

 

[1] http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

6 comment(s)

Comments

A nice stop gap to this as well, block all *.php requests in your WAF if you can.

All of our legitimate requests for WP are relative links with the ".php" chopped off. By blocking *.php at WAF we are actually blocking 99.7% of all automated scanners and botnet traffic looking for WP sites.

Of course, this should not be your only line of defense, but it is a good quick fix while your ops team tests and deploys above mentioned fix.
This plugin ("Disable XML-RPC Pingback") might be an easy stopgap measure (I have not tested it myself):
http://wordpress.org/plugins/disable-xml-rpc-pingback/

Description:
"Stops abuse of your site's Pingback method from XML-RPC by simply removing it. While you can use the rest of XML-RPC methods."
Is it not sufficient to disable Pingback using the Wordpress settings?

http://en.forums.wordpress.com/topic/how-to-disable-pingback
When talking about amplification here, you think bandwidth attack, which is what we see most of.

But DDoS can be at a higher level. You can starve the target for CPU resource, or number of connections. Apache will normally handle only a few thousand connections. A loadbalancer/WAF will prevent some higher level attacks, but these are real requests.
When talking about amplification here, you think bandwidth attack, which is what we see most of.

But DDoS can be at a higher level. You can starve the target for CPU resource, or number of connections. Apache will normally handle only a few thousand connections. A loadbalancer/WAF will prevent some higher level attacks, but these are real requests.
WordPress has many vulnerabilities that can be exploited very easily. Most people do not know that their WordPress blog is a part of a large DDoS attack being carried out against a target.
Most commonly pingbacks and trackbacks are used in WordPress to send requests to a target website. DDoS attackers make use of this vulnerability launch a Application Layer DDoS attack.
We all should take steps to hardened our WordPress security so it can not be used to launch a large scale DDoS attack. Learn how to protect and prevent your WordPress website to be used in DDoS attack. http://www.cloudways.com/blog/ddos-attacks-wordpress-security/

Diary Archives