• For the past week, I have had what looks like an ongoing attempt to exploit my /xmlrpc.php (roughly 80,000 of these per day xxx.xxx.xxx.xxx https://www.mysite.com – [25/May/2013:16:28:00 +0200] “POST /xmlrpc.php HTTP/1.1” 403 332 “-” “-“)

    The vast majority of this traffic (over 97%) comes from three IP addresses all within the IP allocation of the same mutual/dedicated hosting provider. Thus far, my attempts to have them stop the traffic from their side, through their own abuse@, have been unsuccessful.

    In the meantime, I’ve 403’d xmlrpc using .htaccess, as the attack is ongoing, but I would ideally be able to use it…

    Is there anything practical that I can do to compel the hosting company to keep their house in order? (I’m based in Europe and they’re in the USA, and so – for example – I’d really like to avoid the expense and complexity of litigation)

    Cheers

    Charlie

Viewing 7 replies - 1 through 7 (of 7 total)
  • Is there anything practical that I can do to compel the hosting company to keep their house in order?

    There’s nothing anyone here can do; it has nothing to do with WordPress. Work with the host, or move to another host.

    You could contact your own provider to see if they can block the attacker at their borders.

    Thread Starter charleshking

    (@charleshking)

    Thank you for your reply, songdogtech.

    For clarification, I’m not talking about my host – I’m talking about the other host: a commercial provider who seems happy to allow attacks to be carried out from within his network. Changing my host won’t change that.

    The reason I’m asking about this on a WordPress forum is that it is an attack specific to WordPress that, doubtless, other WordPress administrators have experienced, and will experience again.

    A practical way to deal with this kind of thing would be a useful asset to a community of CMS admins, I suspect.

    Cheers

    Charlie

    For clarification, I’m not talking about my host – I’m talking about the other host: a commercial provider who seems happy to allow attacks to be carried out from within his network. Changing my host won’t change that.

    I read that. Changing your host might help with the attacks, because another host may be more inclined to help block the attacks from the problem host.

    Or block those IPs from your whole site: https://perishablepress.com/stupid-htaccess-tricks/#sec7a

    WordPress comes under all kinds of attacks, constantly, like all CMSs. It’s nothing new. Read https://www.ads-software.com/support/topic/brute-force-attacks-and-wordpress?replies=2

    Thread Starter charleshking

    (@charleshking)

    mrmist – I did consider that, and it’s a potential solution, but according to ARIN, they have 15 class C networks allocated and blocking the whole range seems a tad drastic (and will likely affect innocent bystanders).

    I did consider redirecting their net in .htaccess to a page saying ‘sorry too much abusive traffic from your host, please ask your administrator for help’.

    I’m not familiar with how things work in the USA, but I believe in Europe that if I sign an agreement with an upstream ISP, then it will include clauses requiring me to be proactive in preventing abuse from within my allocation. If that were the case, for example, a form ‘Cease and Desist’ copied to the upstream provider ought to sharpen their thinking (they can’t resell a product that they aren’t able to source…)

    Otherwise, I could just roll over and ignore it, and accept the hit in functionality – it’s not hugely significant after all – but the principle of allowing dodgy behaviour to go unchallenged on the basis that it’s ‘a bit of an effort’ is only going to encourage it.

    Cheers

    Charlie

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    The reason I’m asking about this on a WordPress forum is that it is an attack specific to WordPress that, doubtless, other WordPress administrators have experienced, and will experience again.

    But it really isn’t exactly.

    The brute force aspect is documented already and so is the hardening your installation parts too.

    https://codex.www.ads-software.com/Brute_Force_Attacks
    https://codex.www.ads-software.com/Hardening_WordPress

    What you’re experiencing is from being attacked by massive amounts of requests. That happens to other systems to. That level of defense has to be at the host level. If you run your own server or VPS then you can use the built in O/S tools to stop that traffic from reaching your web server software.

    In my case I’ve used iptables because I run on Linux boxes. The TCP requests hits the O/S and the O/S drops the traffic. My Apache2 process never even sees the connection. That saves me a lot of CPU and memory processing.

    If you can do that then you can deal with those IPs. If you can’t you can request your host to do so.

    Either way it’s not really a WordPress solution or problem. ??

    Thread Starter charleshking

    (@charleshking)

    songdogtech – Ah, ok I see what you mean. Presumably that would work if my client’s site is being attacked by IP address, and not by its web address (which would seem odd, but hey).

    As I replied to mrmist, I can see that just blocking access to the network in question is a potential solution, be that with my host’s help or by .htaccess, but that strikes me as massaging the symptoms rather than addressing the disease. One would hope that a legitimate hosting company would be more keen to provide reasonable control of their customers…

    I like the https://perishablepress.com/stupid-htaccess-tricks/ article, thank you. I didn’t know that one can filter an entrant address by CIDR number! Thank you.

    Cheers

    Charlie

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘How to compel a hosting provider to stop an attack issuing from their net?’ is closed to new replies.