WordPress Pingback DDoS Symptoms.
Unlike other reflective attacks which use UDP services like NTP and DNS, this attacks uses the WordPress Pingback feature.
The mean of Pingback would be to notify a website which you url to concerning the link hoping that the site you are linking to will return the favor. Some systems automate this and continue maintaining automated lists linking back again to sites that covered their article. To be able to implement pingback, WordPress implements an XML-RPC API function. This function will then send a request to the site to that you would like to send a pingback.
Most of us first disclosed that the WordPress pingback method was being misused to execute massive layer 7 Distributed Denial of Service (DDoS) attacks back in March 2014. The problem being that any WordPress website using the pingback feature enabled (its default setting) could be used to attack the availability of other websites. The attacks would inundate the net server with Layer 7 requests resulting in very large DDoS attacks.
A current example is a fresh campaign that blended pingback attacks and Layer 7 DDoS, originating from a botnet that counted 30,000 WordPress sites.
This campaign blasted between 12,000 and 15,000 HTTPS requests per second at the target, and sometimes even peaked at 20,000.
Attackers were abusing the WordPress XML-RPC service to throttle pingback requests to the victim’s website, in addition they were sending the pingback requests via HTTPS, pushing the CPU to get into overdrive although it handled all those encrypted connectivity that generally require more server memory.
When referring to amplification here, you think bandwidth attack, which can be everything we see most of.
But DDoS may be at an increased level. You can starve the target for CPU resource, or wide range of connections. Apache will normally handle only some thousand connections. A loadbalancer will prevent some advanced level attacks, however these are real requests.
WordPress has its own vulnerabilities which can be exploited quite easily. A lot of people do not know that their WordPress blog is part of a sizable DDoS attack being carried out against a target.
Most commonly pingbacks and trackbacks are used in WordPress to send requests to a target website. DDoS attackers take advantage of this vulnerability launch a Application Layer DDoS attack.
Most of us should make a plan to hardened our WordPress security therefore it cannot be used to launch a big scale DDoS attack.
These pingback DDoS attacks have remained popular and we attribute them to 15% of all of the DDoS attacks we track on our clients. We have realized that the usage this technique is reducing, likely related to a change which was pushed with WordPress a few versions ago.
Starting in version 3.9, WordPress started initially to record the IP address of where the pingback request originated. That diminished the value of utilizing WordPress included in an attack; the working platform would now record the attackers original internet protocol address also it would show up into the log user agent.
Although it is fantastic that WordPress is logging the attacker internet protocol address on newer releases, we still suggest that you disable pingbacks on your site. It won’t protect you from being attacked, but will stop your website from attacking rest.
Just how to disable pingback ?
Settings>Discussion>Default article settings
Removing xmlrpc.php is not recommended since it will breack many other features which will use the API.
This plugin (“Disable XML-RPC Pingback”) may be a simple stopgap measure.