Large DDoS Attack Brings WordPress Pingback Abuse Back Into Spotlight

← Back to Stories (view on slashdot.org)

Large DDoS Attack Brings WordPress Pingback Abuse Back Into Spotlight

Posted by timothy on Tuesday March 11, 2014 @09:06PM from the pressure-cooker dept.

angry tapir writes "Attackers have abused the WordPress pingback feature, which allows sites to cross-reference blog posts, to launch a large-scale, distributed denial-of-service (DDoS) attack, according to researchers from Web security firm Sucuri. The attack involved over 162,000 legitimate WordPress websites being forced to send hundreds of requests per second to a popular WordPress site, preventing access to it for many hours. The attack exploited an issue with the XML-RPC (XML remote procedure call) implementation in WordPress that's used for features like pingback, trackback, remote access from mobile devices and others, and brought back into the spotlight the denial-of-service risks associated with this functionality that have been known since 2007."

32 of 58 comments (clear)

Min score:

Reason:

Sort:

Why do hackers have to fuck up everything? by Viol8 · 2014-03-11 21:56 · Score: 4, Interesting

Every nice little functional feature someone puts on a site or in an application - along come some socially dysfunctional pricks who has to exploit and ruin it for everyone. I just despair sometimes.
1. Re:Why do hackers have to fuck up everything? by Thanshin · 2014-03-11 22:20 · Score: 5, Insightful
  
  Why do we have to have doors? A simple chalk line in the ground with the text "here starts my home" should suffice.
  Why do we have money, credit cards, IDs, contracts,...
  The inherent unreliability of human beings does impose a cost on all human activity. On the other hand, we've advanced a great deal since everyone had to defend their life with sticks and stones on a regular basis.
2. Re:Why do hackers have to fuck up everything? by Anonymous Coward · 2014-03-11 22:37 · Score: 1
  
  I have doors (and windows) because it's fucking cold outside, it's windy, it rains/snows... I don't want my neighbors cat inside my house. I don't want a bugs/insects and what not inside my house. Why are you talking about doors?!
  Credit cards, because it's a bazzillion times easier to use, than carry around money.
  Money, because modern society would not work without it...
3. Re:Why do hackers have to fuck up everything? by Viol8 · 2014-03-11 22:53 · Score: 3, Insightful
  
  >A simple chalk line in the ground with the text "here starts my
  >home" should suffice
  And in a lot of places it does. But at least with thieves the motivation is obvious - they want money. With these script kiddies its the equivalent of someone breaking into your house and smashing stuff up just for the sake of it.
4. Re:Why do hackers have to fuck up everything? by invictusvoyd · 2014-03-11 23:09 · Score: 1
  
  So that the world eventually becomes a safer place for everyone .
5. Re:Why do hackers have to fuck up everything? by Viol8 · 2014-03-11 23:28 · Score: 1
  
  Right , because WordPress was a real threat to civilisation as we know it.
6. Re:Why do hackers have to fuck up everything? by Anonymous Coward · 2014-03-12 00:04 · Score: 1
  
  Have you seen the source code?!
7. Re: Why do hackers have to fuck up everything? by Stormthirst · 2014-03-12 00:47 · Score: 1
  
  Or AR15s or Shotguns.
8. Re:Why do hackers have to fuck up everything? by rvw · 2014-03-12 01:06 · Score: 1
  
  I have doors (and windows) because it's fucking cold outside, it's windy, it rains/snows... I don't want my neighbors cat inside my house. I don't want a bugs/insects and what not inside my house. Why are you talking about doors?!
  Credit cards, because it's a bazzillion times easier to use, than carry around money.
  Money, because modern society would not work without it...
  Doors... to protect that money!
  Money... to pay for the gas and the doors to keep the heat inside!
The post alludes to a flaw in xml-rpc, but... by SpzToid · 2014-03-11 21:57 · Score: 5, Informative

The post alludes to a flaw in xml-rpc, but it seems to me this is a Wordpress-exclusive vulnerability being reported on today. Drupal uses xml-rpc for example, and all is quiet for those folks it seems.
I know a fair amount of work has been spent beefing up Drupal's xml-rpc implementation, so maybe that's working now, whereas the implementation used by Wordpress is vulnerable and failing. TFA is a little light on details as to the technical source being manipulated and abused.

--
You can't be ahead of the curve, if you're stuck in a loop.
1. Re:The post alludes to a flaw in xml-rpc, but... by LordThyGod · 2014-03-11 22:17 · Score: 1
  
  The post alludes to a flaw in xml-rpc, but it seems to me this is a Wordpress-exclusive vulnerability being reported on today. Drupal uses xml-rpc for example, and all is quiet for those folks it seems.
  I know a fair amount of work has been spent beefing up Drupal's xml-rpc implementation, so maybe that's working now, whereas the implementation used by Wordpress is vulnerable and failing. TFA is a little light on details as to the technical source being manipulated and abused.
  Drupal probably does not do pingbacks out of the box. Its a blog thing, and Drupal's blog implementation is pretty weak. WordPress does allow pingbacks unless you explicitly turn that off.
2. Re:The post alludes to a flaw in xml-rpc, but... by Chrisq · 2014-03-11 22:34 · Score: 1
  
  The post alludes to a flaw in xml-rpc, but it seems to me this is a Wordpress-exclusive vulnerability being reported on today. Drupal uses xml-rpc for example, and all is quiet for those folks it seems.
  I know a fair amount of work has been spent beefing up Drupal's xml-rpc implementation, so maybe that's working now, whereas the implementation used by Wordpress is vulnerable and failing. TFA is a little light on details as to the technical source being manipulated and abused.
  I don't know that Drupal is necessarily immune, to does have send pingback in the XMLRPC API. Unless it has something to secure this against unauthorised callers then it could be vulnerable too.
3. Re:The post alludes to a flaw in xml-rpc, but... by SpzToid · 2014-03-11 22:40 · Score: 1
  
  Good point although I notice your citation is to version 5 of Drupal which is no longer supported. But it was simple for me to see that the same pingback module also exists in Drupal core version 6, but not in the current Drupal version 7, (or upcoming version 8).
  So upon reading your comment and considering the matter a little further, methinks this is simply an old-tech issue and folks need to keep their systems modern, especially in light of today's DDOS news.
  
  --
  You can't be ahead of the curve, if you're stuck in a loop.
4. Re:The post alludes to a flaw in xml-rpc, but... by helix2301 · 2014-03-12 00:37 · Score: 1
  
  We turn off comments and pingbacks because of just the pure amount of spam we were constantly dealing with on a regular basis. I agree this looks like a Wordpress flaw not an xml-rpc issue drupal or dotnetnuke are not having the same issue on there platforms.
  
  --
  http://www.thetechnologygeek.org
5. Re:The post alludes to a flaw in xml-rpc, but... by tlhIngan · 2014-03-12 03:22 · Score: 1
  
  I don't know that Drupal is necessarily immune, to does have send pingback in the XMLRPC API. Unless it has something to secure this against unauthorised callers then it could be vulnerable too.
  I'm sure there are ways to mitigate the problem - a pingback is merely a mention. No one said it couldn't be rate-limited or anything (and if the queue gets too big, well, start dropping requests or ignoring them - is it really important that some popular article has a billion pingbacks over a billion and one?). And the rate limit could also apply to source site - there really shouldn't be more than a few pingbacks from some site (at most one per post per site).
6. Re:The post alludes to a flaw in xml-rpc, but... by LordThyGod · 2014-03-12 04:31 · Score: 1
  
  We turn off comments and pingbacks because of just the pure amount of spam we were constantly dealing with on a regular basis. I agree this looks like a Wordpress flaw not an xml-rpc issue drupal or dotnetnuke are not having the same issue on there platforms.
  That's probably because the ratio of dotnetnuke blogs with pingbacks enabled vs wordpress blogs with pingback enabled is a *illion to 1 or so. And if you were trying to use an amplification technique, dotnetnuke blogs probably isn't a good choice. You either use pingbacks or not. I don't believe there is a way to say "hey this is a good pingback from random stranger and this other one from random stranger2 over here is for malicious purposes". And probably one reason you don't want something to get too popular. Then it becomes a vehicle for stuff just because of its popularity. I host quite a few wordpress sites, and haven't seen any unusual traffic, so they are probably targeting large shared hosting operations with lots of WP sites.
nothing new by Zurd3 · 2014-03-11 22:13 · Score: 1

pingback and trackback are features of WordPress, also known as "remote comments", they are quite usefull to boost the popularity of your website if someone post the URL of your WordPress blog. As Matt Mullenweg from the WordPress project said, there's cheaper, easier and more effective ways to DDoS site. I'm going to let that feature enabled in my sites.
1. Re:nothing new by wordsnyc · 2014-03-11 22:30 · Score: 1
  
  Which makes you wonder how seriously to take his comment. After all, someone apparently found it cheap, easy and effective to use xml-rpc to commandeer 162,000 WP installations.
  
  --
  Sent from the iPad I found in your car.
2. Re:nothing new by SpzToid · 2014-03-11 22:47 · Score: 2
  
  Not to mention the sheer bandwidth of those 162,000 *** SERVERS ***!
  Low-budget data-centers and co-hosts must be shitting bricks right about now when/if they max out their wholesale bandwidth contracts.
  We're possibly talkin' about more bandwidth than the proverbial Volvo station wagon full of hard disks and tape screamin' down the freeway at 55mph.
  
  --
  You can't be ahead of the curve, if you're stuck in a loop.
3. Re:nothing new by inasity_rules · 2014-03-11 22:55 · Score: 1
  
  I immediately turned off the feature on our site. I don't care about it anyway - and my hosting provider seems a little bit daft(need to change them out). According to them we were on the receiving end of a DDOS and their default response is to basically ban all incoming traffic from entire IP ranges, making the website effectively inaccessible from anywhere outside the country(then why have a website at all?). I do not want to give them any excuse to blame me. We were not the target of this specific attack, unless some script kiddies have it in for random small automation companies, which seems unlikely to me.
  
  --
  I have determined that my sig is indeterminate.
4. Re:nothing new by Anonymous Coward · 2014-03-12 00:00 · Score: 5, Insightful
  
  Spoken like a true SEO.
  Pingback is worthless and only clutters the hell out of a sites comments. nobody cares that muffymuffins.org reshared my content..
5. Re:nothing new by sunderland56 · 2014-03-12 03:05 · Score: 2
  
  pingback and trackback [...] are quite usefull to boost the popularity of your website
  A DDOS just means that your website is *very* popular at the moment. So those under attack should be extremely happy, right?
Wordpress is crap by Anonymous Coward · 2014-03-11 22:36 · Score: 1, Insightful

Dear internet, please quit using wordpress. It's constantly full of poor programming practices and it's basically the Microsoft Windows XP of blogging software.
1. Re:Wordpress is crap by HybridST · 2014-03-11 23:43 · Score: 1
  
  XP is decent for its time and is still sufficient for some purposes(firewalled etc.)
  I think parent wanted (Wordpress==WinME).
  
  --
  Ever notice that Cobra Commander sounds an awful lot like Star scream?
2. Re:Wordpress is crap by Krojack · 2014-03-12 04:14 · Score: 1
  
  As is most (or all) CMS packages. Either way you won't see anyone stop using it. CMS packages are a quick install, easy to manage and well... free. Do you want every person or company to pay some programmer thousands of dollars to custom write a site for them? It's highly likely that this custom site will have more bugs and exploits in it anyways.
  So what's your solution?
3. Re:Wordpress is crap by Dracos · 2014-03-12 14:08 · Score: 1
  
  I agree, WP is shit from end to end. Poor practices, horrible architecture, and just generally bad code quality... pretty much the most offensive plate of spaghetti I've ever seen. It's almost worse that many people now insist that WP is a CMS, rather than just a blog playing dress-up.
What's the issue here? by Bogtha · 2014-03-11 23:25 · Score: 1

For attackers, the advantage of abusing the WordPress pingback feature in this manner is that they can spread their attacks over a large number of unique IP addresses, making it harder for the targeted sites to block them, Cid said. "It does not amplify the bandwidth utilization, but the scale and reach of the attack."

From the description of the issue, all that seems to be happening here is that an attacker makes an HTTP request to a third-party blog that supports Pingback, and that blog makes an HTTP request to the target. As stated, there's no amplification, so all this appears to be doing is masking the source of the attack.
To what is he referring when he says that it amplifies the "scale and reach" of the attack?

--
Bogtha Bogtha Bogtha
Who still uses "pingback"? by Lumpy · 2014-03-11 23:57 · Score: 3, Insightful

That is the first thing I turn off on any Wordpress install. pingback is the absolute worst feature ever made.

--
Do not look at laser with remaining good eye.
1. Re:Who still uses "pingback"? by Lumpy · 2014-03-12 01:10 · Score: 1
  
  Hack the planet!
  
  --
  Do not look at laser with remaining good eye.
2. Re:Who still uses "pingback"? by Megane · 2014-03-12 03:59 · Score: 3, Interesting
  
  I know that I, for one, just love seeing a blog where half the comments are stupid trackbacks to some even more mindless vanity blogger. NOT. Agreed, the absolute worst feature ever made. It wasn't even a good idea back when The Web[tm] was young, and people would "share links". Remember that?
  Not to mention the obvious SEO spam ("You have a such great web site! This was so informative! Thank you for your post!") that never gets removed, even when the blogger is still replying to posts. It's not just luser bloggers, either, I've seen this on Bunnie Huang's blog! If I ever have a blog, I'm stealing the "all threads automatically close after two weeks" idea from Slashdot.
  
  --
  #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Re:Nah by Viol8 · 2014-03-12 00:39 · Score: 1

Newflash - the "we're doing everyone a favour" excuse was a joke 10 years ago. Its just fscking lame now. If someone kicked down your door and smashed up your stuff you wouldn't be thanking them for pointing out you needed a stronger door.
Graffiti by phorm · 2014-03-12 05:58 · Score: 1

Basically, we graffiti. No more justification than the pricks who feel the need to spray-paint their names on various structures/objects, or draw genitalia, profanity, etc.
Just as dumb as the "for a good time call X" written on a washroom stall.