More than 162,000 “popular and clean” WordPress sites were recently used in a large-scale distributed denial of service attack (DDoS) that exploited the content management system’s pingback feature.
While the WordPress team is aware of the issue it’s not expected to be patched as it’s a default feature on WordPress, not a flaw, meaning it’s a problem that will likely be left up to site developers to mitigate.
Attackers abused a number of sites that have the feature, essentially XML-RPC requests that make it easy for blogs to cross-reference other blog posts, enabled.
Daniel Cid, the CTO of security firm Sucuri, described the attack, which took down a undisclosed website belonging to one of the firm’s clients, in a blog post on Monday.
According to Cid the attack appears to have used the application-layer (Layer 7) HTTP Flood Attack style of DDoS, which are harder to detect as the requests look like they’re coming from legitimate sites.
In this case they were legitimate sites, 162,000 of them, sending “random requests at a very large scale” to the site’s server, each one with a randomized value that bogged their site down by bypassing their cache and mandating a full page reload each time.
Unlike conventional DDoS attacks that use NTP and DNS, this attack, reflective in nature, used the websites as indirect source amplification vectors. While WordPress sites were the victim this time around, experts say any site could technically be tweaked to dole out this kind of flood attack.
“We would likely have detected a lot more sites, but we decided we had seen enough and blocked the requests at the edge firewall, mostly to avoid filling the logs with junk,” Cid wrote.
Since the POST requests were sent to “/xmlrpc.php request” they’re easy to find in logs, so Cid is encouraging WordPress developers to check theirs to ensure that their sites aren’t vulnerable and attacking other WordPress sites.
Users can look through logs for POST requests to a XML-RPC file like the one below:
220.127.116.11 – – [09/Mar/2014:20:11:34 -0400] “POST /xmlrpc.php HTTP/1.0” 403 4034 “-” “-” “POSTREQUEST:\x0A\x0Apingback.ping\x0A\x0A\x0A\x0Ahttp://fastbet99.com/?1698491=8940641\x0A\x0A\x0A\x0A \x0A yoursite.com\x0A \x0A \x0A\x0A\x0A”
18.104.22.168 – – [09/Mar/2014:23:21:01 -0400] “POST /xmlrpc.php HTTP/1.0” 403 4034 “-” “-” “POSTREQUEST:\x0A\x0Apingback.ping\x0A\x0A \x0A \x0A http://www.guttercleanerlondon.co.uk/?7964015=3863899\x0A \x0A \x0A \x0A \x0A yoursite.com\x0A \x0A \x0A\x0A\x0A”
Developers can also use a scanner the firm came up with this week to check its logs to tell if certain WordPress sites are DDoSing other websites.
If found, Cid claims users can remedy the situation by either disabling XML-RPC pingback or creating a plugin to add a filter to block these kind of pingbacks. Users interested in learning more on how to do that can head over to their blog.
As Johannes B. Ullrich, chief technology officer at the SANS Technology Institute adds, removing xmlrpc.php is not a recommended option as it will “break a number of other features that will use the API.”