Large DDoS Attack Brings WordPress Pingback Abuse Back Into Spotlight

angry tapir writes "Attackers have abused the WordPress pingback feature, which allows sites to cross-reference blog posts, to launch a large-scale, distributed denial-of-service (DDoS) attack, according to researchers from Web security firm Sucuri. The attack involved over 162,000 legitimate WordPress websites being forced to send hundreds of requests per second to a popular WordPress site, preventing access to it for many hours. The attack exploited an issue with the XML-RPC (XML remote procedure call) implementation in WordPress that's used for features like pingback, trackback, remote access from mobile devices and others, and brought back into the spotlight the denial-of-service risks associated with this functionality that have been known since 2007."

The post alludes to a flaw in xml-rpc, but...

[SpzToid]

The post alludes to a flaw in xml-rpc, but it seems to me this is a Wordpress-exclusive vulnerability being reported on today. Drupal uses xml-rpc for example, and all is quiet for those folks it seems.

I know a fair amount of work has been spent beefing up Drupal's xml-rpc implementation, so maybe that's working now, whereas the implementation used by Wordpress is vulnerable and failing. TFA is a little light on details as to the technical source being manipulated and abused.

Re:Why do hackers have to fuck up everything?

[Thanshin]

Why do we have to have doors? A simple chalk line in the ground with the text "here starts my home" should suffice.

Why do we have money, credit cards, IDs, contracts,...

The inherent unreliability of human beings does impose a cost on all human activity. On the other hand, we've advanced a great deal since everyone had to defend their life with sticks and stones on a regular basis.

Re:nothing new

Spoken like a true SEO.
Pingback is worthless and only clutters the hell out of a sites comments. nobody cares that muffymuffins.org reshared my content..