from the wordpress-is-the-devil's-playground dept.
Fluffeh writes:
"Researchers from security firm Sucuri recently counted more than 162,000 WordPress sites hitting a single website. This attack exploited the commonly used Pingback mechanism, which is in enabled by default in Wordpress. None of the sites involved, therefore, needed to be hacked to facilitate the DDoS.
By sending spoofed XML-RPC requests in a way that made them appear to come from the target site, the attacker was able to trick the WordPress servers into bombarding the target with more traffic than it could handle. The GET queries used to create the DDoS 'had a random value (like "?4137049=643182") that bypassed their cache and force a full page reload every single time.'
Unfortunately, Sucuri remarks that:
This is a well known issue within WordPress and the core team is aware of it, it's not something that will be patched though. In many cases this same issue is categorized as a feature, one that many plugins use, so in there lies the dilemma.
The only way for Wordpress site owners to discover if their websites are being used in DDoS attacks is to search their logs for POST requests to the XML-RPC file that generate a pingback to random URLs."
(Score: 3, Interesting) by wantkitteh on Thursday March 13 2014, @01:39PM
...what kind of amplification ratio this method achieves? I realize that's not really the intention, it's more about launching a DDoS without needing a botnet in place to start with, I'm just curious as to the attack bandwidth figures you'd get.
(Score: 5, Informative) by jdccdevel on Thursday March 13 2014, @02:09PM
The bandwidth amplification would be pretty high, it depends on the size of the page being requested. The request to the first server, and the target server are really small (less than 1kb). But the response from the target (to the intermediary) can easily be hundreds of times that size.
The real issue with this attack isn't the bandwidth so much as it is the server processing time. The queries are structured such that the cache is bypassed, requiring each response to be generated specifically for that request. This would eat CPU like CRAZY (it is PHP after all), and bring the server to it's knees much quicker than the bandwidth use alone.
(Score: 2, Informative) by jdccdevel on Thursday March 13 2014, @02:24PM
Correction:
The CPU side of the DOS attack will affect any site with a dynamically generated page, not just those running PHP.
(Score: 2) by Open4D on Friday March 14 2014, @10:18AM
So it's multiple Wordpress sites being used to DDOS a single target Wordpress site?
Would one mitigating option be for the Wordpress devs to change the feature so that it is immediately clear to the targeted site when an incoming request has been triggered by a pingback rather than a normal user request, so that it can give priority to the latter?
(Score: 5, Informative) by drgibbon on Thursday March 13 2014, @02:04PM
Here's couple of plugins to guard against this:
Disable XML-RPC [wordpress.org].
Disable XML-RPC pingbacks [wordpress.org].
Just disabling pingbacks is the way to go if you use Jetpack [wordpress.org] or anything else that needs XML-RPC.
Certified Soylent Fresh!
(Score: 5, Informative) by WizardFusion on Thursday March 13 2014, @02:41PM
Yes, I disabled XML-RPC and the pingback option on my site. It was listed as good security practice a few years ago when I got started.
(Score: 4, Insightful) by halcyon1234 on Thursday March 13 2014, @04:11PM
What the hell is the point of a pingback anyways?
Original Submission [thedailywtf.com]
(Score: 1) by fnj on Thursday March 13 2014, @06:03PM
I don't understand it either. Somebody please explain what it is FOR.
(Score: 1) by drgibbon on Thursday March 13 2014, @10:08PM
Never used them myself, but kind of like remote commenting, according to this [wpbeginner.com].
Certified Soylent Fresh!
(Score: 3, Insightful) by chromas on Thursday March 13 2014, @10:36PM
The pingback system is a safeguard against readers.
Imagine you have a web site where you post an article and then people write comments on it. That's no good, right? Well, with pingback, you can intersperse those comments with links to other websites that link back to the page you're already on!
(Score: 5, Funny) by skullz on Thursday March 13 2014, @03:11PM
Microsoft, is that you?
(Score: 4, Funny) by sharky on Thursday March 13 2014, @04:02PM
I'm not even mad - That's genius.
(Score: 4, Funny) by elf on Thursday March 13 2014, @05:20PM
someone just trying to get their hit count up on their blog.