Slashdot Mirror

← Back to Stories (view on slashdot.org)

Large DDoS Attack Brings WordPress Pingback Abuse Back Into Spotlight

Posted by timothy on from the pressure-cooker dept.

angry tapir writes "Attackers have abused the WordPress pingback feature, which allows sites to cross-reference blog posts, to launch a large-scale, distributed denial-of-service (DDoS) attack, according to researchers from Web security firm Sucuri. The attack involved over 162,000 legitimate WordPress websites being forced to send hundreds of requests per second to a popular WordPress site, preventing access to it for many hours. The attack exploited an issue with the XML-RPC (XML remote procedure call) implementation in WordPress that's used for features like pingback, trackback, remote access from mobile devices and others, and brought back into the spotlight the denial-of-service risks associated with this functionality that have been known since 2007."

9 of 58 comments (clear)

  1. Why do hackers have to fuck up everything? by Viol8 · · Score: 4, Interesting

    Every nice little functional feature someone puts on a site or in an application - along come some socially dysfunctional pricks who has to exploit and ruin it for everyone. I just despair sometimes.

    1. Re:Why do hackers have to fuck up everything? by Thanshin · · Score: 5, Insightful

      Why do we have to have doors? A simple chalk line in the ground with the text "here starts my home" should suffice.

      Why do we have money, credit cards, IDs, contracts,...

      The inherent unreliability of human beings does impose a cost on all human activity. On the other hand, we've advanced a great deal since everyone had to defend their life with sticks and stones on a regular basis.

    2. Re:Why do hackers have to fuck up everything? by Viol8 · · Score: 3, Insightful

      >A simple chalk line in the ground with the text "here starts my
      >home" should suffice

      And in a lot of places it does. But at least with thieves the motivation is obvious - they want money. With these script kiddies its the equivalent of someone breaking into your house and smashing stuff up just for the sake of it.

  2. The post alludes to a flaw in xml-rpc, but... by SpzToid · · Score: 5, Informative

    The post alludes to a flaw in xml-rpc, but it seems to me this is a Wordpress-exclusive vulnerability being reported on today. Drupal uses xml-rpc for example, and all is quiet for those folks it seems.

    I know a fair amount of work has been spent beefing up Drupal's xml-rpc implementation, so maybe that's working now, whereas the implementation used by Wordpress is vulnerable and failing. TFA is a little light on details as to the technical source being manipulated and abused.

    --
    You can't be ahead of the curve, if you're stuck in a loop.
  3. Re:nothing new by SpzToid · · Score: 2

    Not to mention the sheer bandwidth of those 162,000 *** SERVERS ***!

    Low-budget data-centers and co-hosts must be shitting bricks right about now when/if they max out their wholesale bandwidth contracts.

    We're possibly talkin' about more bandwidth than the proverbial Volvo station wagon full of hard disks and tape screamin' down the freeway at 55mph.

    --
    You can't be ahead of the curve, if you're stuck in a loop.
  4. Who still uses "pingback"? by Lumpy · · Score: 3, Insightful

    That is the first thing I turn off on any Wordpress install. pingback is the absolute worst feature ever made.

    --
    Do not look at laser with remaining good eye.
    1. Re:Who still uses "pingback"? by Megane · · Score: 3, Interesting

      I know that I, for one, just love seeing a blog where half the comments are stupid trackbacks to some even more mindless vanity blogger. NOT. Agreed, the absolute worst feature ever made. It wasn't even a good idea back when The Web[tm] was young, and people would "share links". Remember that?

      Not to mention the obvious SEO spam ("You have a such great web site! This was so informative! Thank you for your post!") that never gets removed, even when the blogger is still replying to posts. It's not just luser bloggers, either, I've seen this on Bunnie Huang's blog! If I ever have a blog, I'm stealing the "all threads automatically close after two weeks" idea from Slashdot.

      --
      #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  5. Re:nothing new by Anonymous Coward · · Score: 5, Insightful

    Spoken like a true SEO.
    Pingback is worthless and only clutters the hell out of a sites comments. nobody cares that muffymuffins.org reshared my content..

  6. Re:nothing new by sunderland56 · · Score: 2

    pingback and trackback [...] are quite usefull to boost the popularity of your website

    A DDOS just means that your website is *very* popular at the moment. So those under attack should be extremely happy, right?