A recent article outlines how to use the WordPress XML-RPC pingback functionDDosattack. This article will be on the attack for analysis, while for the site administrator to provide information to protect their website.
WordPress XML-RPC API is not new launch. The following is the seven years ago wordpress bug data.
Although the vulnerability is not the latest, but the attack code/tools is nearly two years to appear. Tools for script kiddies facilitated, thereby resulting in a moreDDoSattack.
XML-RPC pingback feature provides a legitimate way to from different authors there is connected content. This article is describes how to use some of the blog site's XML-RPC functionality to third-party websites to attack.
SpiderLabs colleague Daniel Crowley in 2 0 1 2 The DerbyCon conference staged shows in an article”The Patsy Proxy: Getting others to do your dirty work,“the article, the text discussed by the third-party website to send attack traffic in a variety of ways. (See PPT). In addition, also released the use of the tool. One of the tools called “DDoS attacks via other sites execution tool (DAVOSET)”, it can be through many different sites to send attack traffic. The following DAVOSET used in the URL list
Through a”Patsy Proxy”site to send attack data is very simple. Below we take a closer look at WordPress XML-RPC Pingback problems.
The following is a using curl for attack command
The yellow highlighted data is a WordPress “Patsy Proxy” site, the orange highlighted data is the attack site. Note that for testing purposes required in the header add “Content-Type: text/xml” otherwise the XML-RPC service that the request is not valid, then the response is as follows:
The attacker sends a complete request, Patsy Proxy WordPress site, going to be the attack site issue the following HTTP request:
Note that the HTTP request format is only two lines:
But is the attack on the site of the WAF-web application protection system will identify the attack to protect the site. Normally the browser sends a request that contains many header. Due to the pingback DDoS the attack is not like the other Protocol attacks such as NTP, will not use any type of amplification attacks that way, if the request URI will make the attack site for the background calculation it will cause more damage.
If you don't want to use the XML-RPC disabling it is entirely possible. Can refer to the article: even plugins that will disable it.
Can be passed to the function. php add the following file to disable the pingback:
Through the WAF to be able to identify the original of the pingback XML attack request. Details in this view.
As mentioned before, although the URI is dynamic, but all the agent XML-RPC pingback HTTP request is only two lines. You can use the WAF to identify and respond to such as request IP added to the blacklist this exception.
[via@spiderlabs / 91ri.org]