Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

WordPress Sites Used to Power Layer 7 DDoS Attacks

Tens of thousands of WordPress websites have been recently used to launch Layer 7 distributed denial of service (DDoS) attacks, security researchers at Sucuri reveal.

Tens of thousands of WordPress websites have been recently used to launch Layer 7 distributed denial of service (DDoS) attacks, security researchers at Sucuri reveal.

Layer 7 attacks, which are also known as http flood attacks, involve disrupting a server by exhausting its resources at the application layer and not at the network layer. These type of attacks require fewer requests and lower bandwidth to cause damage, as they can force resource consumption on most PHP applications, databases, and content management systems (CMS).

Most recently, Sucuri researchers observed that WordPress sites with enabled pingback feature are used to disrupt the availability of other websites, through flooding the web with Layer 7 requests that result in very large DDoS attacks. Daniel Cid, Founder & CTO of Sucuri, notes that 13 percent of the DDoS attempts the security company tracks are pingback DDoS attacks, which makes them a very popular.

The researchers have observed 26,000 different WordPress sites that were generating a sustained rate of 10,000 to 11,000 HTTPS requests per second against one website. Furthermore, they noticed that the attack would peak at certain intervals, reaching almost 20,000 HTTPS requests per second, and that it lasted for more than half a day.

The attacker was using a series of IP addresses in the 185.130.5.0/24 range to control the “botnet” of WordPress sites, and they were able to successfully conduct the attack despite an IP logging feature that WordPress added in version 3.9. By recording the IP address of where the pingback request originated, the CMS was looking to diminish the value of using it as part of an attack, as the attacker’s IP shows in the log user agent.

However, Cid explains that the pingback technique is still being used mainly because website owners rarely check the user agent logs. Furthermore, he notes that, given that the attack comes from thousands of different IPs, network-based firewalls won’t try to stop the attacks because they only do rate limiting per IP address.

The researchers discovered that the majority of IP addresses used in this attack were sites on popular VPS/Cloud/Dedicated server providers: Amazon AWS, Digital Ocean, Google Cloud, Microsoft Azure, Hetzner, OVH and Linode.

To avoid such attacks, website admins are advised to disable the pingback feature, which would ensure that the site is not used to attack other domains. Furthermore, Sucuri recommends that either xmlrpc is disabled, provided it is not in use, or that .htaccess file is changed so as to allow only whitelisted IPs to access the file.

Advertisement. Scroll to continue reading.

WordPress has long been the most attacked CMS out there, registering 3.5 times more attacks than non-CMS applications, according to Imperva’s 2015 annual Web Application Attack Report (WAAR). Also last year, thousands of WordPress sites were been abused in Neutrino exploit kit attacks or hijacked to redirect visitors to other exploit kits .

Related: WordPress 4.4.2 Patches Open Redirect, SSRF Flaws

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.