Large DDoS Attack Brings WordPress Pingback Abuse Back Into Spotlight

angry tapir writes "Attackers have abused the WordPress pingback feature, which allows sites to cross-reference blog posts, to launch a large-scale, distributed denial-of-service (DDoS) attack, according to researchers from Web security firm Sucuri. The attack involved over 162,000 legitimate WordPress websites being forced to send hundreds of requests per second to a popular WordPress site, preventing access to it for many hours. The attack exploited an issue with the XML-RPC (XML remote procedure call) implementation in WordPress that's used for features like pingback, trackback, remote access from mobile devices and others, and brought back into the spotlight the denial-of-service risks associated with this functionality that have been known since 2007."

Why do hackers have to fuck up everything?

[Viol8]

Every nice little functional feature someone puts on a site or in an application - along come some socially dysfunctional pricks who has to exploit and ruin it for everyone. I just despair sometimes.

Re:Why do hackers have to fuck up everything?

[Thanshin]

Why do we have to have doors? A simple chalk line in the ground with the text "here starts my home" should suffice.

Why do we have money, credit cards, IDs, contracts,...

The inherent unreliability of human beings does impose a cost on all human activity. On the other hand, we've advanced a great deal since everyone had to defend their life with sticks and stones on a regular basis.

Re:

[Anonymous Coward]

I have doors (and windows) because it's fucking cold outside, it's windy, it rains/snows... I don't want my neighbors cat inside my house. I don't want a bugs/insects and what not inside my house. Why are you talking about doors?!

Credit cards, because it's a bazzillion times easier to use, than carry around money.

Money, because modern society would not work without it...

Re:

[rvw]

I have doors (and windows) because it's fucking cold outside, it's windy, it rains/snows... I don't want my neighbors cat inside my house. I don't want a bugs/insects and what not inside my house. Why are you talking about doors?!

Credit cards, because it's a bazzillion times easier to use, than carry around money.

Money, because modern society would not work without it...

Doors... to protect that money!

Money... to pay for the gas and the doors to keep the heat inside!

Re:Why do hackers have to fuck up everything?

[Viol8]

>A simple chalk line in the ground with the text "here starts my
>home" should suffice

And in a lot of places it does. But at least with thieves the motivation is obvious - they want money. With these script kiddies its the equivalent of someone breaking into your house and smashing stuff up just for the sake of it.

Re:

[Viol8]

Newflash - the "we're doing everyone a favour" excuse was a joke 10 years ago. Its just fscking lame now. If someone kicked down your door and smashed up your stuff you wouldn't be thanking them for pointing out you needed a stronger door.

Graffiti

[phorm]

Basically, we graffiti. No more justification than the pricks who feel the need to spray-paint their names on various structures/objects, or draw genitalia, profanity, etc.
Just as dumb as the "for a good time call X" written on a washroom stall.

Re:

[invictusvoyd]

So that the world eventually becomes a safer place for everyone .

Re:

[Viol8]

Right , because WordPress was a real threat to civilisation as we know it.

Re:

[Anonymous Coward]

Have you seen the source code?!

Re:

[Stormthirst]

Or AR15s or Shotguns.

The post alludes to a flaw in xml-rpc, but...

[SpzToid]

The post alludes to a flaw in xml-rpc, but it seems to me this is a Wordpress-exclusive vulnerability being reported on today. Drupal uses xml-rpc for example, and all is quiet for those folks it seems.

I know a fair amount of work has been spent beefing up Drupal's xml-rpc implementation, so maybe that's working now, whereas the implementation used by Wordpress is vulnerable and failing. TFA is a little light on details as to the technical source being manipulated and abused.

Re:

[LordThyGod]

The post alludes to a flaw in xml-rpc, but it seems to me this is a Wordpress-exclusive vulnerability being reported on today. Drupal uses xml-rpc for example, and all is quiet for those folks it seems.

I know a fair amount of work has been spent beefing up Drupal's xml-rpc implementation, so maybe that's working now, whereas the implementation used by Wordpress is vulnerable and failing. TFA is a little light on details as to the technical source being manipulated and abused.

Drupal probably does not do pingbacks out of the box. Its a blog thing, and Drupal's blog implementation is pretty weak. WordPress does allow pingbacks unless you explicitly turn that off.

Re:

[Chrisq]

The post alludes to a flaw in xml-rpc, but it seems to me this is a Wordpress-exclusive vulnerability being reported on today. Drupal uses xml-rpc for example, and all is quiet for those folks it seems.

I know a fair amount of work has been spent beefing up Drupal's xml-rpc implementation, so maybe that's working now, whereas the implementation used by Wordpress is vulnerable and failing. TFA is a little light on details as to the technical source being manipulated and abused.

I don't know that Drupal is necessarily immune, to does have send pingback [drupalcontrib.org] in the XMLRPC API. Unless it has something to secure this against unauthorised callers then it could be vulnerable too.

Re:

[SpzToid]

Good point although I notice your citation is to version 5 of Drupal which is no longer supported. But it was simple for me to see that the same pingback module also exists in Drupal core version 6, but not in the current Drupal version 7, (or upcoming version 8).

So upon reading your comment and considering the matter a little further, methinks this is simply an old-tech issue and folks need to keep their systems modern, especially in light of today's DDOS news.

Re:

[tlhIngan]

I don't know that Drupal is necessarily immune, to does have send pingback in the XMLRPC API. Unless it has something to secure this against unauthorised callers then it could be vulnerable too.

I'm sure there are ways to mitigate the problem - a pingback is merely a mention. No one said it couldn't be rate-limited or anything (and if the queue gets too big, well, start dropping requests or ignoring them - is it really important that some popular article has a billion pingbacks over a billion and one?). And

Re:

[helix2301]

We turn off comments and pingbacks because of just the pure amount of spam we were constantly dealing with on a regular basis. I agree this looks like a Wordpress flaw not an xml-rpc issue drupal or dotnetnuke are not having the same issue on there platforms.

Re:

[LordThyGod]

We turn off comments and pingbacks because of just the pure amount of spam we were constantly dealing with on a regular basis. I agree this looks like a Wordpress flaw not an xml-rpc issue drupal or dotnetnuke are not having the same issue on there platforms.

That's probably because the ratio of dotnetnuke blogs with pingbacks enabled vs wordpress blogs with pingback enabled is a *illion to 1 or so. And if you were trying to use an amplification technique, dotnetnuke blogs probably isn't a good choice. You either use pingbacks or not. I don't believe there is a way to say "hey this is a good pingback from random stranger and this other one from random stranger2 over here is for malicious purposes". And probably one reason you don't want something to get too pop

nothing new

[Zurd3]

pingback and trackback are features of WordPress, also known as "remote comments", they are quite usefull to boost the popularity of your website if someone post the URL of your WordPress blog. As Matt Mullenweg from the WordPress project said, there's cheaper, easier and more effective ways to DDoS site. I'm going to let that feature enabled in my sites.

Re:

[wordsnyc]

Which makes you wonder how seriously to take his comment. After all, someone apparently found it cheap, easy and effective to use xml-rpc to commandeer 162,000 WP installations.

Re:

[SpzToid]

Not to mention the sheer bandwidth of those 162,000 *** SERVERS ***!

Low-budget data-centers and co-hosts must be shitting bricks right about now when/if they max out their wholesale bandwidth contracts.

We're possibly talkin' about more bandwidth than the proverbial Volvo station wagon full of hard disks and tape screamin' down the freeway at 55mph.

Re:

[inasity_rules]

I immediately turned off the feature on our site. I don't care about it anyway - and my hosting provider seems a little bit daft(need to change them out). According to them we were on the receiving end of a DDOS and their default response is to basically ban all incoming traffic from entire IP ranges, making the website effectively inaccessible from anywhere outside the country(then why have a website at all?). I do not want to give them any excuse to blame me. We were not the target of this specific attack

Re:nothing new

[Anonymous Coward]

Spoken like a true SEO.
Pingback is worthless and only clutters the hell out of a sites comments. nobody cares that muffymuffins.org reshared my content..

Re:

[sunderland56]

pingback and trackback [...] are quite usefull to boost the popularity of your website

A DDOS just means that your website is *very* popular at the moment. So those under attack should be extremely happy, right?

Wordpress is crap

[Anonymous Coward]

Dear internet, please quit using wordpress. It's constantly full of poor programming practices and it's basically the Microsoft Windows XP of blogging software.

Re:

[HybridST]

XP is decent for its time and is still sufficient for some purposes(firewalled etc.)

I think parent wanted (Wordpress==WinME).

Re:

[Krojack]

As is most (or all) CMS packages. Either way you won't see anyone stop using it. CMS packages are a quick install, easy to manage and well... free. Do you want every person or company to pay some programmer thousands of dollars to custom write a site for them? It's highly likely that this custom site will have more bugs and exploits in it anyways.

So what's your solution?

Re:

[Dracos]

I agree, WP is shit from end to end. Poor practices, horrible architecture, and just generally bad code quality... pretty much the most offensive plate of spaghetti I've ever seen. It's almost worse that many people now insist that WP is a CMS, rather than just a blog playing dress-up.

What's the issue here?

[Bogtha]

For attackers, the advantage of abusing the WordPress pingback feature in this manner is that they can spread their attacks over a large number of unique IP addresses, making it harder for the targeted sites to block them, Cid said. "It does not amplify the bandwidth utilization, but the scale and reach of the attack."

From the description of the issue, all that seems to be happening here is that an attacker makes an HTTP request to a third-party blog that supports Pingback, and that blog makes an HTTP

Who still uses "pingback"?

[Lumpy]

That is the first thing I turn off on any Wordpress install. pingback is the absolute worst feature ever made.

Re:

[Lumpy]

Hack the planet!

Re:Who still uses "pingback"?

[Megane]

I know that I, for one, just love seeing a blog where half the comments are stupid trackbacks to some even more mindless vanity blogger. NOT. Agreed, the absolute worst feature ever made. It wasn't even a good idea back when The Web[tm] was young, and people would "share links". Remember that?

Not to mention the obvious SEO spam ("You have a such great web site! This was so informative! Thank you for your post!") that never gets removed, even when the blogger is still replying to posts. It's not just luser bloggers, either, I've seen this on Bunnie Huang's blog! If I ever have a blog, I'm stealing the "all threads automatically close after two weeks" idea from Slashdot.