Attackers don’t need special tools or malware to launch distributed denial-of-service attacks. A recent DDoS attack that brought down a site involved 162,000 WordPress sites and a documented feature.

A popular WordPress site was hit by a large HTTP-based (Layer 7) distributed flood attack, sending hundreds of requests per second, said Daniel Cid, CTO of security company Sucuri. The requests turned out to be Pingbacks from over 162,000 valid and legitimate WordPress sites.

A WordPress feature enabled by default, a Pingback lets a site inform other sites whenever a post is published linking back to those sites. Thanks to this feature, attackers don’t need to compromise WordPress sites to create a botnet to launch attacks. In this case, the attacker just wrote a simple call to ping the target site’s XML-RPC file.

“Any WordPress site with Pingback enabled (which is on by default) can be used in DDoS attacks against other sites,” Cid wrote.

Since these WordPress sites were not compromised, it’s difficult to tell that the sites may be participating in a DDoS attack without looking through the site logs. If the logs have pingbacks to random URLs, that is a good sign of some kind of nefarious activity. Administrators should disable the XML-RPC functionality to prevent this feature from being abused, Cid recommended. There are other suggestions on the Sucuri blog.

Sucuri also has launched a WordPress DDoS Scanner to check if a site is attacking other sites.

There was a similar DDoS attack last year where attackers used Pingbacks on 2,500 WordPress sites, according to Incapsula. At the time, the company warned that pingbacks give attackers “a virtually limitless set of IP addresses to distribute a denial-of-service attack across a network of over 100 million WordPress sites, without having to compromise them.”

And while administrators are looking at Pingbacks, it’s worth taking the time to make sure the sites are running the latest and most secure version of the WordPress software. Outdated versions of WordPress are constantly under attack, especially the plugins.

“Malicious hackers are always looking for ways to infect computer users, and what better technique can there be than to compromise an existing, legitimate website and subvert it in such a way that it sneakily infects computer users when they visit it,” said security consultant Graham Cluley.

Fahmida Y. Rashid is an accomplished security journalist and technologist. She is a regular contributor for several publications including where she is a networking and security analyst.  She also was a senior writer at eWeek where she covered security, core Internet infrastructure and open source. As well, she was a senior technical editor at CRN Test Center reviewing open source, storage, and networking products. 

Leave a Reply