WordPress pingback abuse blamed for massive DDoS attack

WordPress' pingback function has once again been abused. Here's an overview of what happened, and what you can do to stop it.

On Monday, Daniel Cid, the CTO of Sucuri, said in a blog post that his company recently mitigated a DDoS attack that leveraged more than 162,000 legitimate WordPress installations. The attack was possible because of the pingback function in the XML-RPC implementation used by WordPress.

In this case, the attackers didn't do anything out of the ordinary. Traditionally, XML-RPC is used by WordPress for pingbacks, trackbacks, remote access on mobile devices, and various other features. The attack outlined by Sucuri shows how the function can be abused, allowing a single attacker to use a small amount of bandwidth with devastating results.

The attackers used pingback exactly as it's supposed to be used, but they bypassed caching and other offsetting protections built into WordPress, by calling for pages that didn't exist on the victim's website.

Normally, a WordPress domain will serve visitors cached versions of a link if available, as that lowers the load on the server in many cases. Bypassing the cache means that pages are served in full or the website expends resources looking for something that isn't there, creating resource exhaustion if several pages are requested at once. The attackers were able to bypass the caching by requesting random URLs on the victim's website that didn't exist.

In a statement to IDG News, Matt Mullenweg, the WordPress project lead, noted that XML-RPC itself isn't a threat, and that disabling it isn't a solution when it comes to preventing abuse.

"This tradeoff in pingback's design has been there for a decade now. It's seldom used outside of experimentation because it gets shut down by anti-spam providers like Akismet or web hosts when used at any scale, and there are cheaper, easier, and more effective ways to DDOS sites. That's why no serious attacks (above 2gbps) use it."

His point is valid, but then again, to leverage XML-RPC in this setting, the attacker doesn't need to launch a "serious attack." In a Layer 7 attack, all the attacker has to do is initiate a few thousand requests per minute. Point the pingback calls to non-existent URLs or a large file, and they can take a domain down in minutes, or the website's host will kill the domain due to security protocols. Either way, the website goes down and the attacker wins.

It's been almost seven years since the XML-RPC issue was brought to light, it's a known risk to Web developers who build on WordPress. However, the risk can be mitigated if the pingback function isn't required.

Option One:

Log-in to the WordPress dashboard and go to Settings > Discussion > Default article settings. Un-check the boxes marked - "Allow link notifications from other blogs (pingbacks and trackbacks)" and "Attempt to notify any blogs linked to from the article"

Please note: It is possible to bypass disabled notifications. So this fix isn't 100 percent guaranteed, because no two WordPress installations are alike.

Option Two:

Install a plug-in module that disables XML-RPC. The plug-in with the highest rating, coded by Phil Erb, is viable up to version 3.8.1 of WordPress.

In order to ensure that the plug-in is working, test the site with an XML-RPC validation tool. However, be aware that disabling XML-RPC can be risky and may break some aspects of the website.

You should not, under any circumstance, delete the XMLRPC.php file, as that will positively break aspects of the website, and it will return on the next WordPress update.

Option Three:

You can create your own plug-in, or add code to the site's theme.

add_action( 'xmlrpc_call', function( $method ) {

    if ( $method === 'pingback.ping' ) {

         wp_die( 'No pingbacks', 'Pingback is disabled', array( 'response' => 403 ) );


 } );

[Script offered by Joseph Scott, not tested.]

- OR -

add_filter( ‘xmlrpc_methods’, function( $methods ) {

   unset( $methods['pingback.ping'] );

   return $methods;

} ); 

[Script offered by Sucuri, not tested.]


Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)