Large DDoS Attack Brings WordPress Pingback Abuse Back Into Spotlight 58
angry tapir writes "Attackers have abused the WordPress pingback feature, which allows sites to cross-reference blog posts, to launch a large-scale, distributed denial-of-service (DDoS) attack, according to researchers from Web security firm Sucuri. The attack involved over 162,000 legitimate WordPress websites being forced to send hundreds of requests per second to a popular WordPress site, preventing access to it for many hours. The attack exploited an issue with the XML-RPC (XML remote procedure call) implementation in WordPress that's used for features like pingback, trackback, remote access from mobile devices and others, and brought back into the spotlight the denial-of-service risks associated with this functionality that have been known since 2007."
Why do hackers have to fuck up everything? (Score:5, Interesting)
Every nice little functional feature someone puts on a site or in an application - along come some socially dysfunctional pricks who has to exploit and ruin it for everyone. I just despair sometimes.
Re:Who still uses "pingback"? (Score:4, Interesting)
I know that I, for one, just love seeing a blog where half the comments are stupid trackbacks to some even more mindless vanity blogger. NOT. Agreed, the absolute worst feature ever made. It wasn't even a good idea back when The Web[tm] was young, and people would "share links". Remember that?
Not to mention the obvious SEO spam ("You have a such great web site! This was so informative! Thank you for your post!") that never gets removed, even when the blogger is still replying to posts. It's not just luser bloggers, either, I've seen this on Bunnie Huang's blog! If I ever have a blog, I'm stealing the "all threads automatically close after two weeks" idea from Slashdot.