Security Corner

Mar 15 2014   4:21PM GMT

Is your site an unwitting participant in a DDoS attack?

Ken Harthun Ken Harthun Profile: Ken Harthun

In a normal DDoS attack, a botnet of hundreds or thousands of computers performs a coordinated attack against a particular website. But what if you don’t have access to a botnet? You trick WordPress sites into sending unwanted traffic to the site. Here’s how, according to a blog post by Sucuri:

Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites.

Just in the course of a few hours, over 162,000 different and legitimate WordPress sites tried to attack his site.

Can you see how powerful it can be? One attacker can use thousands of popular and clean WordPress sites to perform their DDOS attack, while being hidden in the shadows, and that all happens with a simple ping back request to the XML-RPC file:

$ curl -D -  "www.anywordpresssite.com/xmlrpc.php" -d '<methodCall><methodName>
pingback.ping</methodName><params><param><value><string>http://victim.com</string>/value></param><param><value><string>
www.anywordpresssite.com/postchosen</string></value></param></params></methodCall>'

How can you tell if your site is being used in an attack? You’ll have to check your web server logs. This is they type of entry you are looking for with pingbacks to random sites. If you see these, your site is being misused:

93.174.93.72 - - [09/Mar/2014:20:11:34 -0400] "POST /xmlrpc.php HTTP/1.0" 403 4034 "-" "-" 
"POSTREQUEST:<?xml version=\x221.0\x22 encoding=\x22iso-8859-1\x22?>\x0A<methodCall>\x0A
<methodName>pingback.ping</methodName>\x0A<params>\x0A <param>\x0A  <value>\x0A   
<string>http://fastbet99.com/?1698491=8940641</string>\x0A  </value>\x0A </param>\x0A 
<param>\x0A  <value>\x0A   <string>yoursite.com</string>\x0A  </value>\x0A </param>\x0A
</params>\x0A</methodCall>\x0A"

You can also check out WordPress DDOS Scanner to check if your WordPress site is DDOS’ing other websites (I checked and mine isn’t).

Here’s how to stop your site from being used for DDoS, according to Sucuri create a plugin that adds this filter:

add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods[‘pingback.ping’] );
return $methods;
} );

 

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: