162,000 WordPress Sites Abused to Amplify DDOS Attack

Sucuri has helped a company mitigate such an attack

By Eduard Kovacs on March 11th, 2014 13:53 GMT

Sucuri has been called in to mitigate a major distributed denial-of-service (DDOS) attack aimed at a popular WordPress site. What’s interesting about this incident is that 162,000 other WordPress sites were used to amplify the attack.

DDOS attacks are becoming more and more common. However, every once in a while, cybercriminals come up with an interesting way to amplify them.

According to experts, in this particular attack, the 162,000 WordPress sites were indirectly used as amplification vectors. After the company, which hasn’t been named, subscribed to their CloudProxy Website Firewall service, Sucuri immediately started analyzing the operation.

They soon discovered that tens of thousands of WordPress sites were sending random requests at the targeted websites in an effort to make it inaccessible.

So how could cybercriminals abuse such a large number of WordPress sites? The attackers are actually abusing the XML-RPC feature. XML-RPC is used for trackbacks, pingbacks, remote access and other operations. Because XML-RPC is enabled by default on WordPress websites, it’s not difficult for malicious actors to abuse it.

They simply have to send a ping back request to the website’s XML-RPC file. The request looks something like this:

$ curl -D - "www.anywordpresssite.com/xmlrpc.php" -d '<methodCall><methodName>pingback.ping </methodName> <params><param><value><string> http://victim.com</string></value></param> <param><value><string> www.anywordpresssite.com/postchosen </string> </value></param></params></methodCall>'

With this simple Linux command, many WordPress websites become amplification vectors for a DDOS attack.

Sucuri experts advise the owners of WordPress websites to check their logs for any POST request to the XML-RPC file. If they find pingbacks to random URLs, the site is most likely used to target others.

Alternatively, there is an online WordPress DDOS Scanner tool made available by Sucuri.

In order to protect your website from being abused in such a manner by cybercriminals, you can disable the XML-RPC pingback functionality, or add the following piece of code to your WordPress theme:

add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;
Cybercriminals abuse XML-RPC feature in WordPress sites to amplify DDOS attacks
   Cybercriminals abuse XML-RPC feature in WordPress sites to amplify DDOS attacks
MORE ON THIS TOPIC
LATEST NEWS
HOT RIGHT NOW

Comments