14 DAY TRIAL // After distributed denial-of-service (DDOS) attacks abusing Network Time Protocol (NTP) servers, security companies have started issuing warnings about attacks abusing vulnerable WordPress websites. In one single attack, a total of 162,000 WordPress sites were used.
We’ve reached out to Barrett Lyon to find out more about these attacks. Lyon is the co-founder and chief technology officer of Defense.net, a company that provides DDOS mitigation solutions. However, this isn’t the first such company founded by the expert.
In fact, he is a pioneer in the field of DDOS mitigation for enterprises. He founded Prolexic Technologies back in 2003. Lyon's battles against DDOS attacks and the individuals who launch them are chronicled in a best-selling book called “Fatal System Error – The Hunt for the New Crime Lords Who Are Bringing Down the Internet.”
Softpedia: When did you first start seeing DDOS attacks that abused WordPress websites?
Barrett Lyon: We’ve been expecting to see WordPress DDoS attacks for the past year given the number of sites that use it and the complexity of the code. We’ve been waiting to see someone exploit WordPress in this way but we haven’t seen this happen until March of 2014.
Softpedia: How powerful are these attacks? Does their strength rely solely on the fact that a large number of WordPress websites are abused all at once to send requests to the targeted site?
Barrett Lyon: The attacks to an undefended site could be catastrophic, however, with defenses in place they can be mitigated against without too much work. The main issue is that the attacks are on the application layer of the OSI model, which means that dealing with them can be a little complex.
Softpedia: Sucuri has spotted an attack in which 162,000 WordPress sites were abused. What’s the largest number you’ve seen?
Barrett Lyon: That number sounds about right and it may be a little low. There are a lot WordPress installations in the wild that have the trackback feature enabled by default.
Softpedia: Is there any particular sector that these attacks are aimed at?
Barrett Lyon: Haven’t seen a specific sector targeted yet.
Softpedia: How efficient are DDOS mitigation solutions against such attacks?
Barrett Lyon: Modern systems can deal with this type of attack, however, if there is no system in place or the attack is made in a different way… this could become a huge problem.
Softpedia: What should WordPress website administrators do to prevent cybercriminals from abusing their resources?
Barrett Lyon: A lot of people install WordPress and hand it off to their client and the client has no idea how to update them. The result is there are a lot of these installations sitting without any updates and without anyone that knows how to update them.
In a number of cases, people are afraid of upgrading an older version of WordPress because they are afraid it may somehow impact the look and operation of their web site. Thus, status quo on the settings seems to be a trend with WordPress installations.
It would be wise that the administrators of these types of sites should familiarize themselves with the update features of WordPress and put an effort into keeping these things updated.
Softpedia: This year, we’ve seen an increase in NTP amplification attacks and these WordPress-powered attacks. Based on what you’re seeing right now, are there other types of DDOS attacks that might one day start making headlines?
Barrett Lyon: There will be new types of amplification and reflection based attacks in the coming year, NTP was just the start.
Softpedia: As far as I understand, NTP amplification attacks, even if they’re gaining ground, they’re still not as popular as DNS amplification attacks. Do you believe that one day NTP attacks might become more common than DNS attacks?
Barrett Lyon: Currently they are more common than DNS attacks because they are so easy to launch. However, NTP is also a protocol that is easy to filter.
If someone is under attack and has the pipes to take the NTP traffic in, they most likely can filter it if they have modern routers. If they’re not prepared for the bandwidth NTP attacks are pretty powerful and can cause outages pretty quickly.
Softpedia: So far, the largest DDOS attack ever recorded peaked at 800 Gbps. Attacks are becoming more and more powerful. How much can DDOS mitigation providers handle?
Barrett Lyon: I can’t comment on other DDoS providers but we’re prepared to handle NTP reflection attacks in the many of terabits range.