WP pingbacks exploited for DDoS attacks?

  • Resolved The Barefoot Bookworm

    (@the-barefoot-bookworm)


    10 years, 1 month ago

    A blogger recently got attacked by a hacker who used pingbacks to try and overload his servers. Here’s the entire post about it: https://trilema.com/2014/o-hai-let-me-wanna-be/

    Of particular note in this post is the message displayed only to WP users whose blogs were used in the attack:

    You are seeing this because your blog was recently used as part of a DDOS attack against Trilema.

    The way this works is that the attacker sends pingbacks to a long list of blogs. The blogs in question then load the indicated url to try and verify if the pingback is legitimate (ie, if the url of the pinged blog actually appears on page), resulting in massive traffic spikes for the victim.

    This works because WordPress pingbacks are poorly implemented. A more solid implementation would verify if the pingback originates from the same IP as the site that supposedly sent it, and discard the request if there’s a mismatch. The current implementation allows pingbacks to be sent by any arbitrary IP, and so allow a malicious user yet another DDOS vector.

    Please do your part by fixing your pingbacks implementation. The easiest way would be to open the file xmlrpc.php found in the root directory of your blog installtion, and modify the part that says

    // Let's check the remote site

		$linea = wp_remote_fopen( $pagelinkedfrom );

    To instead say

    // Let's check the remote site

    // First, make sure we're not being used for DDoS!

    if (gethostbyname(parse_url($pagelinkedfrom, PHP_URL_HOST))
      <> $_SERVER['REMOTE_ADDR'])
      die ("Sorry, you will have to send this from your blog's IP.");

    		$linea = wp_remote_fopen( $pagelinkedfrom );

    This checks that the IP of the domain you think you’ve been pinged by and the IP of the client informing you were pinged match, and dies if they don’t – rendering this particular DDoS avenue inoperable while maintaining all the pingback functionality you could possibily want.

    Thanks for being part of the solution!

    WordPress community, sound off? Does this vulnerability really exist, and if so, is it possible to fix it in the core? What do you think of the proposed solution? Could there be a possible downside to it?

    I’m not a programmer and I had never heard about such a vulnerability before, but since my blog was one of the blogs implicated (the list is almost 300 MB, have asked the blogger to check it for me) I’m obviously quite concerned and I wonder if other people have heard of or experienced such attacks before.

Viewing 7 replies - 1 through 7 (of 7 total)

  • I got the same message. Found this:

    https://www.networkworld.com/article/2175096/smb/large-ddos-attack-brings-wordpress-pingback-abuse-back-into-spotlight.html
    https://mor10.com/blog-hacked-actually-maybe-pingback-exploit/

    Thread Starter The Barefoot Bookworm

    (@the-barefoot-bookworm)

    Thanks. So it’s legit? What about the solution? Did you try it?

    Thread Starter The Barefoot Bookworm

    (@the-barefoot-bookworm)

    “I spoke to the WordPress team and they are investigating ways to minimize this issue, while still having the pingback functionality available (which is important for them),” Cid said.

    However, Matt Mullenweg, the WordPress project lead, doesn’t agree with Sucuri’s suggestion that XML-RPC poses a threat or that disabling it is a solution.

    “This tradeoff in pingback’s design has been there for a decade now,” he said via email. “It’s seldom used outside of experimentation because it gets shut down by anti-spam providers like Akismet or web hosts when used at any scale, and there are cheaper, easier, and more effective ways to DDOS sites. That’s why no serious attacks (above 2gbps) use it.”

    Interesting. And a bit disappointing that Matt would write it off as that.

    Both blog posts mention Akismet catches this sort of spam, and I have it turned on. How is it that my blog was still used in the attack?

    Moderator bcworkz

    (@bcworkz)

    I’ve no idea really, but you may be experiencing a zero day exploit that askimet hasn’t yet caught up with. You may have little recourse but to turn off pingbacks until the exploit is better filtered out.

    Thread Starter The Barefoot Bookworm

    (@the-barefoot-bookworm)

    But the solution provided by the blogger doesn’t require pingbacks to be turned off. It adds a filter to them. I’m wary of plucking random code of the Internet and plopping it into my WP core, and I’m not a PHP programmer or anything either, so I’m stumped. I WANT to do it. But I’m not sure I should.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    ?????? Advisor and Activist

    So yes but no.

    Yes, if people hammer your pingbacks, it will have the same effect as a DDoS. No there isn’t a current vulnerability in WordPress that your site will be hacked because of this. Which is Matt’s pov.

    Let me put it a different way. If someone writes a script that calls your site with curl() ever second, it will do the exact same thing.

    You CAN disable pingbacks, you can prevent it with .htaccess, and you can have your webhost throttle that kind of behavior (which most hosts already do). It’s not as big a deal as it’s being made out to be.

    Thread Starter The Barefoot Bookworm

    (@the-barefoot-bookworm)

    Thanks!

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘WP pingbacks exploited for DDoS attacks?’ is closed to new replies.