Security researchers have uncovered a recent distributed denial-of-service (DDoS) attack that used at least 162,000 WordPress-powered websites to knock another site offline.
The technique made it possible for an attacker with modest resources to greatly amplify the bandwidth at its disposal. By sending spoofed Web requests in a way that made them appear to come from the target site, the attacker was able to trick the WordPress servers into bombarding the target with more traffic than it could handle. Besides causing such a large number of unsuspecting sites to attack another one, the attack is notable for targeting XML-RPC, a protocol the sites running WordPress and other Web applications use to provide services such as pingbacks, trackbacks, and remote access to some users.
Researchers from security firm Sucuri recently counted more than 162,000 legitimate WordPress sites hitting a single customer website. They suspect they would have seen more if they hadn’t ended the attack by blocking the requests.
“Can you see how powerful it can be?” Sucuri CTO Daniel Cid wrote in a blog post published Monday. “One attacker can use thousands of popular and clean WordPress sites to perform their DDoS attack, while being hidden in the shadows, and that all happens with a simple ping back request to the XML-RPC file.”
The result: the unidentified target website was flooded with hundreds of requests per second. Hundreds of requests per second may not sound like much, especially when compared with recent attacks, some of which reached volumes close to 400 gigabits per second. It’s important to remember that the XML-RPC traffic is directed at a targeted site’s layer 7 (aka application layer), which handles HTTP, FTP, DNS, and several other communications protocols. Many DDoS techniques direct torrents of traffic at a much lower level, usually in the network layer (aka layer 3). Layer 7 attacks frequently require much less junk data to be effective.
Cid’s blog post contains plenty of useful information about DDoS attacks that abuse XML-RPC, including this scanner that will indicate whether a specific Web address was observed participating in the attack Sucuri blocked. The post also provides instructions that operators of WordPress sites can follow to prevent their servers from being abused to carry out these types of attacks. The technique involves adding the following code to a site theme:
add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;
} );
Cid doesn’t say if there are any negative consequences that will result from adding the filter. Since XML-RPC provides useful and possibly needed functionality, readers are advised to carefully consider the pros and cons before applying such a move to a production server. Readers who know more about the way the XML-RPC protocol is implemented in WordPress and the effects of the above filter are encouraged to share their knowledge in the comments.
The WordPress-enabled attacks are just one technique in a growing arsenal of powerful DDoS weapons. Other implementations include the abuse of the Internet’s time-synchronization protocol and the exploitation of open domain name system servers to greatly amplify traffic. Attackers have also waged extremely powerful DDoS campaigns using botnets of WordPress servers. The growing body of attacks shows that there’s no shortage of ways to inflict crippling damage on the Internet.
Article source: http://arstechnica.com/security/2014/03/more-than-162000-legit-wordpress-sites-abused-in-powerful-ddos-attack/