Attackers (ab)used WordPress' pingback utility, again!

Feb 17, 2016 22:43 GMT  ·  By

Sucuri has blown the lid off a recent Layer 7 DDoS campaign that leveraged WordPress installations, and more accurately, its pingback function (again).

Layer 7 (Application Level) DDoS attacks aren't your regular DDoS attacks. While normal DDoS attacks rely on cramming a lot of network packets down your throat, Layer 7 attacks are different, akin to a poisoned dart.

They rely on specially crafted network packets that make your server's CPU usage go up, effectively shutting down your site, but without the attacker having to consume a huge amount of bandwidth to do so.

On the other hand, it has been known for years that the WordPress pingback service can be abused for DDoS attacks, and even WordPress' maintainers tried to help when they released version 3.9 a few years ago. During that update, they added a function that would force the WordPress CMS to log pingback requests made by the attacker.

This update allowed webmasters to quickly debug and ban IPs that were abusing their sites to launch DDoS attacks, but few webmasters ever bothered to prevent their site from being added to a botnet, since WordPress pingback DDoS attacks continued undisturbed all these years.

DDoS attack peaked at 20,000 HTTPS requests/sec

A recent example is a fresh campaign that combined pingback attacks and Layer 7 DDoS, originating from a botnet that counted 26,000 WordPress sites.

This campaign blasted between 10,000 and 11,000 HTTPS requests per second at the target, and sometimes even peaked at 20,000.

Attackers were abusing the WordPress XML-RPC service to throttle pingback requests to the victim's website, and they were sending the pingback requests via HTTPS, forcing the CPU to go into overdrive while it handled all those encrypted connections that generally require more server memory.

Sucuri's Daniel Cid provides instructions on how to prevent the WordPress built-in XML-RPC service from participating in DDoS pingback attacks, but also a method of allowing the XML-RPC service to continue to operate while filtering requests for the good/bad guys.

Distribution of compromised WordPress sites across service providers
Distribution of compromised WordPress sites across service providers

Photo Gallery (2 Images)

WordPress sites abused in Layer 7 DDoS attacks
Distribution of compromised WordPress sites across service providers
Open gallery