Our friends over at Sucuri posted an interesting blog regarding a Distributed Denial of Service attack (DDoS) where 162,000 WordPress sites were enlisted to attack a single website. Daniel Cid, the CTO of Sucuri, explains the story:

It all happened against a popular WordPress site that had gone down for many hours due to a DDOS. As the attack increased in size, their host shut them down, and then they decided to ask for help and subscribed to our CloudProxy Website Firewall.

Once the DNS was ported we were able to see what was going on, it was a large HTTP-based (layer 7) distributed flood attack, sending hundreds of requests per second to their server. 

Daniel and I go way back, having worked at Q1 Labs (now IBM) in addition to co-authoring the OSSEC Host-Based Intrusion Detection Guide with Rory Bray and myself. I reached out to Daniel to see if we could share information and see if OpenDNS observed the attack in some shape or form.

On Saturday, March 9, 2014 (when the attack commenced), OpenDNS tracked 255 unique (4838 total) IP addresses querying for the targeted site – which we shall refer to as “the target”. This caused a noticeable spike in DNS queries that registered well above the normal traffic pattern for the target:

OpenDNS Security Graph

The top 10 most active IP addresses querying the target on March 9 are shown below in an effort to communicate the magnitude: 

Top 10 IPs

This includes 3389 IPv4 address (A) records, 1398 IPv6 address (AAAA) records, 5 delegation signer (DS) records, 35 mail exchange (MX) records, and only 1 name server (NS) record.

dns_codeNote: A full description of the various DNS record types can be found here

Daniel also notes that all the requests were coming from valid and legitimate WordPress sites by exploiting the XML remote procedure call (XMLRPC) used for pingbacks, trackbacks, remote access via mobile devices and many other features you’re likely very fond of. 

One attacker can use thousands of popular and clean WordPress sites to perform their DDOS attack, while being hidden in the shadows, and that all happens with a simple ping back request to the XML-RPC file: 

$ curl -D - "www.anywordpresssite.com/xmlrpc.php" -d 'pingback.pinghttp://victim.comwww.anywordpresssite.com/postchosen'

ShodanBy default, this feature is enabled in all WordPress installs. A quick search on Shodan for 

xmlrpc.php

 gives us quite a few installations that could potentially be enlisted for future attacks.  

On March 12, 2014 Brian Krebs tweeted a link that contained a list of websites used for the attack in question.

After correlating Krebs’ list with our DNS intelligence, we identified 135 IP addresses that were active during the March 9, 2014 12:00 GMT and 16:00 GMT time window and using OpenDNS for name resolution.

Only 104 IP addresses were active at the time of our subsequent research (March 12, 2014 at 8:00 GMT). Of those 104 IP addresses 33 run WordPress with 14 of those having known vulnerabilities that could potentially lead to future compromises if left unresolved. (Note: The quick scanning of the WordPress sites to detect vulnerabilities was performed using WordPress Security Scanner).

Sucuri and OpenDNS recommends adding the following API filter to your WordPress sites to help mitigate this issue:

add_filter( ‘xmlrpc_methods’, function( $methods ) { unset( $methods['pingback.ping'] ); return $methods; } );

More information on working with the WordPress API filter can be found here. Removing 

xmlrpc.php

is not recommended, as it will break a number of other features that will use the API.

Look to Brian Krebs’ website as the story develops.