Blog

DDoS by WordPress: The Saga Continues

March 13, 2014 by Ixia Blog Team

We are seeing an increase in DDoS attacks worldwide.

What is interesting to note is that whereas traditionally these attacks were triggered through massive botnets, recently attackers have focused on using legitimate traffic generated by legitimate services.

The weapon of choice for this new trend in DDoS attacks is services that generate responses that are very big in size when compared to the request that initiates them. The approach usually used involves sending requests with spoofed source IP addresses to a multitude of amplifiers, which in turn answer with a large amount of data, as depicted in the image below:

This leads to an amplification process, which allows an attacker to bring down services for high impact targets with minimal numbers of client attackers.

A characteristic of this type of attack is that they usually rely on ancillary functions in the service that are not often used for main service delivery. They often are open due to improper configuration of the services that are used as amplifiers, or on specific types of requests and replies that are part of these services but are not commonly used and as such improperly filtered. This shows the pure nature of an excellent hacker, they don’t think like us and they are very innovative in their approach; they use systems in a manner they are not intended.

DDoS Accelerating Through Improved Automation Tools

The most recent DDoS attack that falls into the category described above was conducted using services delivered by servers running the WordPress blogging system. In these attacks the XML-RPC service available on WordPress servers, which is enabled by default beginning with WordPress 3.51, was used as an amplifier to overwhelm attacked servers with legitimate, but unrequested traffic. Although the vulnerability is not new, recent development in automated tools for running the attack has made it reemerge. This proves the fact that although the issue has been known for quite some time now, most web administrators have taken no action towards mitigating it.

The attack is carried out through the pingback function that normally allows linking blog content from different authors. The implementation causes the function to send a request for a webpage through HTTP to the target system, which can be controlled through a parameter inside the initial request. If the resource is very large in size or is too computationally complex to obtain for the target system, this in turn causes a denial of service condition.

Mitigation

Mitigation against this kind of attack can be implemented at several layers throughout the attack process. The easiest way to stop the attack is to configure the amplification systems to disable XML-RPC pingback functionality:

add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;
} );

However, this is the responsibility of the person administrating the systems used as amplifiers and as such cannot be controlled by the target of the attack. Taking this into consideration, the best way to implement defenses for this kind of attack is application layer inspection for HTTP requests. Due to the specific nature of the requests sent out by the amplification systems, these can be detected by inspection devices and filtered at the Internet boundary before they reach the target system.

Leverage subscription service to stay ahead of attacks

Customers of Ixia’s Application and Threat Intelligence (ATI) program can test for both the exploitation of the WordPress pingback as well as test DDoS mitigation of this attack. The ATI team has an end-to-end simulation of the attack for their customers. The ATI program provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.

Additional Resources:

Ixia DDoS Solutions

Ixia Security Solutions

Application and Threat Intelligence (ATI)

 

[1] http://codex.wordpress.org/XML-RPC_Support