162,000 WordPress instances abused for DDoS attack

Pierluigi Paganini March 12, 2014

Sucuri firm detected a large DDOS attack that leveraged thousands of unsuspecting WordPress websites as indirect amplification vectors.

The security community is threatened by a new botnet composed at least 162,000 WordPress-powered websites abused to run DDoS attacks. The technique of attack allows to flood a target with requests sent by WordPress servers that received a specifically crafted spoofed Web request. The requests sent to the WordPress servers appear to come from the target site, so the attackers are able to amplify they fire capability.

The discovery was made by experts from security firm Sucuri that counted more than 162,000 legitimate WordPress sites targeting the web site of a company customer.

“Can you see how powerful it can be?” “One attacker can use thousands of popular and clean WordPress sites to perform their DDoS attack, while being hidden in the shadows, and that all happens with a simple ping back request to the XML-RPC file.” states the blog post published by the company. 

The attack targets the XML-RPC implemented by web sites running WordPress and many other Web applications that offer services such as pingbacks, trackbacks, and remote access to some users.

A similar attack is considerable as an “application DDoS” conducted with ISO/OSI application layer requests, exactly like HTTP DDoS attack, despite its magnitude is significantly lower respect a DNS amplification DDoS attack or an NTP based DDoS.

One attacker can use thousands of popular and clean WordPress sites to perform their DDOS attack, while being hidden in the shadows, and that all happens with a simple ping back request to the XML-RPC file:

$ curl -D -  "www.anywordpresssite.com/xmlrpc.php" -d '<methodCall><methodName>pingback.ping</methodName><params><param><value><string>http://victim.com</string></value></param><param><value><string>www.anywordpresssite.com/postchosen</string></value></param></params></methodCall>'

To discover if your WordPress instance is abused to conduct DDoS attack it is possible to run an online scan with this tool proposed by Sucury firm, the post also provides instructions to improve security of the WordPress like adding the following code to a site theme:

add_filter‘xmlrpc_methods’, function$methods ) {
unset$methods[pingback.ping’] );
return $methods;
} );

Be aware, because filter could have an impact on your website because the numerous functionalities based on XML-RPC protocol. We can conclude that DDoS attacks are becoming even more popular and attackers are adopting new and original techniques.

Pierluigi Paganini

(Security Affairs – WordPress, DDoS)



you might also like

leave a comment