
Attackers trick 162,000 WordPress sites into launching DDoS attack  - ghosh
http://arstechnica.com/security/2014/03/more-than-162000-legit-wordpress-sites-abused-in-powerful-ddos-attack/
======
driverdan
Original, non-blogspam post: [http://blog.sucuri.net/2014/03/more-
than-162000-wordpress-si...](http://blog.sucuri.net/2014/03/more-
than-162000-wordpress-sites-used-for-distributed-denial-of-service-
attack.html)

Original HN post:
[https://news.ycombinator.com/item?id=7374577](https://news.ycombinator.com/item?id=7374577)

~~~
faddotio
It's sad that Ars Technica is making blogspam.

------
bananas
This really doesn't surprise me in the slightest. I inherited a Wordpress site
someone hacked up for a friend of mine a few months ago. Until then, I wasn't
quite aware of the ability to slide malware into it (it was an oldish version
of WP).

As it was a relatively static site, I extracted the templates, removed the
malware (which had injected itself into the header) and fudged it all into
Jekyll[1] and uploaded it again as a static site to webfaction and changed the
DNS entries.

Problem solved. Permanently.

I really wish people would do this more rather than pile loads of poorly
maintained crap onto shared hosting.

[1] [http://jekyllrb.com/](http://jekyllrb.com/)

~~~
csixty4
The functionality this is exploiting, pingbacks, is the kind of dynamic, API-
driven feature you can't get on a static site. It's a trade-off you have to be
comfortable making.

~~~
lauradhamilton
Why can't they develop an algorithm that distinguishes malicious pings from
legitimate pings?

------
jgrahamc
If your site is on CloudFlare then there are WAF rules to prevent you being
part of this and from being the reflected victim:
[http://blog.cloudflare.com/wordpress-pingback-attacks-and-
ou...](http://blog.cloudflare.com/wordpress-pingback-attacks-and-our-waf)

------
agwa
I don't see where the amplification is. The size of the GET request reflected
to the target appears _smaller_ than the POST request sent to the Wordpress
XMLRPC. So it's less effective than simply attacking the target directly.

Am I missing something?

[Edit: reworded for clarity]

------
csixty4
The mechanism this attack uses is interesting. So way back in the early "web
2.0" days, "trackbacks" were a big deal. You'd mention someone else's blog
post on your blog, your blogging software did an XML-RPC call out to their
blog, and a notification showed up in their comments that there was further
discussion on your site. It was great, and contributed to the whole community
feeling of "web 2.0". But it was easily exploited by spammers, who just sent
out XML-RPC calls to build links.

"Pingbacks" are like trackbacks, except the referenced blog requests the URL
that supposedly links back to it to verify there's actually a link there, and
it appears that's what's being used to redirect the DDoS to the target server.

The obvious solution is to disable pingbacks. But they exist for a reason, and
even if most people don't use them anymore there's going to be an uproar from
the people who still do. Keep in mind there are still people pissed that
blogrolls (links) were removed from WordPress core a couple versions ago. When
was the last time you even heard the word "blogroll"?

~~~
eli
I'd love to see data on current pingback usage and what percent of it is spam
or malicious.

~~~
lauradhamilton
I don't have data, I have experience. Vast majority of pingbacks are spam. I
disabled pingbacks and I think most wordpress site owners do the same.

