SoylentNews

Fluffeh writes:

"Researchers from security firm Sucuri recently counted more than 162,000 WordPress sites hitting a single website. This attack exploited the commonly used Pingback mechanism, which is in enabled by default in Wordpress. None of the sites involved, therefore, needed to be hacked to facilitate the DDoS.

By sending spoofed XML-RPC requests in a way that made them appear to come from the target site, the attacker was able to trick the WordPress servers into bombarding the target with more traffic than it could handle. The GET queries used to create the DDoS 'had a random value (like "?4137049=643182") that bypassed their cache and force a full page reload every single time.'

Unfortunately, Sucuri remarks that:

This is a well known issue within WordPress and the core team is aware of it, it's not something that will be patched though. In many cases this same issue is categorized as a feature, one that many plugins use, so in there lies the dilemma.

The only way for Wordpress site owners to discover if their websites are being used in DDoS attacks is to search their logs for POST requests to the XML-RPC file that generate a pingback to random URLs."