Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Large DDoS Attack Brings WordPress Pingback Abuse Back Into Spotlight

timothy posted about 7 months ago | from the pressure-cooker dept.

Security 58

angry tapir writes "Attackers have abused the WordPress pingback feature, which allows sites to cross-reference blog posts, to launch a large-scale, distributed denial-of-service (DDoS) attack, according to researchers from Web security firm Sucuri. The attack involved over 162,000 legitimate WordPress websites being forced to send hundreds of requests per second to a popular WordPress site, preventing access to it for many hours. The attack exploited an issue with the XML-RPC (XML remote procedure call) implementation in WordPress that's used for features like pingback, trackback, remote access from mobile devices and others, and brought back into the spotlight the denial-of-service risks associated with this functionality that have been known since 2007."

Sorry! There are no comments related to the filter you selected.

Frist (-1, Troll)

mrbester (200927) | about 7 months ago | (#46461815)

Frosty piss, whatever, I have karma in abundance.

Why do hackers have to fuck up everything? (4, Interesting)

Viol8 (599362) | about 7 months ago | (#46461837)

Every nice little functional feature someone puts on a site or in an application - along come some socially dysfunctional pricks who has to exploit and ruin it for everyone. I just despair sometimes.

Re:Why do hackers have to fuck up everything? (5, Insightful)

Thanshin (1188877) | about 7 months ago | (#46461923)

Why do we have to have doors? A simple chalk line in the ground with the text "here starts my home" should suffice.

Why do we have money, credit cards, IDs, contracts,...

The inherent unreliability of human beings does impose a cost on all human activity. On the other hand, we've advanced a great deal since everyone had to defend their life with sticks and stones on a regular basis.

Re:Why do hackers have to fuck up everything? (1)

Anonymous Coward | about 7 months ago | (#46461997)

I have doors (and windows) because it's fucking cold outside, it's windy, it rains/snows... I don't want my neighbors cat inside my house. I don't want a bugs/insects and what not inside my house. Why are you talking about doors?!

Credit cards, because it's a bazzillion times easier to use, than carry around money.

Money, because modern society would not work without it...

Re:Why do hackers have to fuck up everything? (1)

rvw (755107) | about 7 months ago | (#46462677)

I have doors (and windows) because it's fucking cold outside, it's windy, it rains/snows... I don't want my neighbors cat inside my house. I don't want a bugs/insects and what not inside my house. Why are you talking about doors?!

Credit cards, because it's a bazzillion times easier to use, than carry around money.

Money, because modern society would not work without it...

Doors... to protect that money!

Money... to pay for the gas and the doors to keep the heat inside!

Re:Why do hackers have to fuck up everything? (-1)

Anonymous Coward | about 7 months ago | (#46464459)

You... to point out the fuckin' obvious!

Re:Why do hackers have to fuck up everything? (3, Insightful)

Viol8 (599362) | about 7 months ago | (#46462061)

>A simple chalk line in the ground with the text "here starts my
>home" should suffice

And in a lot of places it does. But at least with thieves the motivation is obvious - they want money. With these script kiddies its the equivalent of someone breaking into your house and smashing stuff up just for the sake of it.

Nah (0)

Anonymous Coward | about 7 months ago | (#46462367)

Exactly. They break it because they can - otherwise how would they know what needed to be fixed?

Why would you trust any software that you know can be broken by anyone 'socially dysfunctional' rather than someone who wants to gain a financial advantage from it?

Re:Nah (1)

Viol8 (599362) | about 7 months ago | (#46462529)

Newflash - the "we're doing everyone a favour" excuse was a joke 10 years ago. Its just fscking lame now. If someone kicked down your door and smashed up your stuff you wouldn't be thanking them for pointing out you needed a stronger door.

Re:Nah (-1)

Anonymous Coward | about 7 months ago | (#46463419)

Nail, meet head.

Re:Nah (0)

Anonymous Coward | about 7 months ago | (#46468335)

Newflash - the "we're doing everyone a favour" excuse was a joke 10 years ago.

And still today clueless individuals think that "hackathon contests" (documented as worse-than-useless 11 years ago [oreilly.com] ) are the best way to smoke out security holes.

Re:Why do hackers have to fuck up everything? (0)

Anonymous Coward | about 7 months ago | (#46465139)

there is still much money to be made by silencing competition or taking money to perform the attack. you're an idiot.

Graffiti (1)

phorm (591458) | about 7 months ago | (#46466179)

Basically, we graffiti. No more justification than the pricks who feel the need to spray-paint their names on various structures/objects, or draw genitalia, profanity, etc.
Just as dumb as the "for a good time call X" written on a washroom stall.

Re:Why do hackers have to fuck up everything? (0)

Anonymous Coward | about 7 months ago | (#46463335)

Why do we have to have doors? A simple chalk line in the ground with the text "here starts my home" should suffice.

Because mother nature doesn't care about the artificial borders we create for ourselves. It doesn't care about human laws or the concept of personal property.

Wild animals and weather aren't going to look at the human scribblings and go "oh, this belongs to Thanshin, nothing to do here then" instead they're going to go "fuck you human, I do what I want".

Re:Why do hackers have to fuck up everything? (0)

cyborg_monkey (150790) | about 7 months ago | (#46465165)

would. you. just. shut. the. fuck. up. That is not insightful, it is the response of a neckbeard fuckwit who thinks he's clever. YOU'RE NOT.

Re:Why do hackers have to fuck up everything? (0)

Anonymous Coward | about 7 months ago | (#46461941)

Retarded script kiddies conduct such attacks. Hackers only discover and document them. Please.

Re:Why do hackers have to fuck up everything? (0)

Anonymous Coward | about 7 months ago | (#46462107)

I hope you don't write software for a living!

'No passwords required - the entire internet is on the honour system!'

Re:Why do hackers have to fuck up everything? (1)

invictusvoyd (3546069) | about 7 months ago | (#46462117)

So that the world eventually becomes a safer place for everyone .

Re:Why do hackers have to fuck up everything? (1)

Viol8 (599362) | about 7 months ago | (#46462199)

Right , because WordPress was a real threat to civilisation as we know it.

Re:Why do hackers have to fuck up everything? (0)

Anonymous Coward | about 7 months ago | (#46462257)

exactly

Re:Why do hackers have to fuck up everything? (1)

Anonymous Coward | about 7 months ago | (#46462349)

Have you seen the source code?!

Re:Why do hackers have to fuck up everything? (0)

Anonymous Coward | about 7 months ago | (#46462819)

Yeah, because that's what we're talking about... Idiot.

Re: Why do hackers have to fuck up everything? (0)

Anonymous Coward | about 7 months ago | (#46462217)

Everyone on the Internet should be required to have a DDoS script and know how to use it. Then whenever anyone sees someone else doing something bad they can do bad stuff back. Only in this way can Internet freedom survive and thrive.

Re: Why do hackers have to fuck up everything? (0)

Anonymous Coward | about 7 months ago | (#46462373)

Yes because what we really need on the Internet is more asswipes wasting bandwidth "teaching a lesson".

Re: Why do hackers have to fuck up everything? (0)

Anonymous Coward | about 7 months ago | (#46462451)

Really? Does that work for nukes too?

Re: Why do hackers have to fuck up everything? (1)

Stormthirst (66538) | about 7 months ago | (#46462593)

Or AR15s or Shotguns.

The post alludes to a flaw in xml-rpc, but... (5, Informative)

SpzToid (869795) | about 7 months ago | (#46461839)

The post alludes to a flaw in xml-rpc, but it seems to me this is a Wordpress-exclusive vulnerability being reported on today. Drupal uses xml-rpc for example, and all is quiet for those folks it seems.

I know a fair amount of work has been spent beefing up Drupal's xml-rpc implementation, so maybe that's working now, whereas the implementation used by Wordpress is vulnerable and failing. TFA is a little light on details as to the technical source being manipulated and abused.

Re:The post alludes to a flaw in xml-rpc, but... (1)

LordThyGod (1465887) | about 7 months ago | (#46461905)

The post alludes to a flaw in xml-rpc, but it seems to me this is a Wordpress-exclusive vulnerability being reported on today. Drupal uses xml-rpc for example, and all is quiet for those folks it seems.

I know a fair amount of work has been spent beefing up Drupal's xml-rpc implementation, so maybe that's working now, whereas the implementation used by Wordpress is vulnerable and failing. TFA is a little light on details as to the technical source being manipulated and abused.

Drupal probably does not do pingbacks out of the box. Its a blog thing, and Drupal's blog implementation is pretty weak. WordPress does allow pingbacks unless you explicitly turn that off.

Re:The post alludes to a flaw in xml-rpc, but... (1)

Chrisq (894406) | about 7 months ago | (#46461973)

The post alludes to a flaw in xml-rpc, but it seems to me this is a Wordpress-exclusive vulnerability being reported on today. Drupal uses xml-rpc for example, and all is quiet for those folks it seems.

I know a fair amount of work has been spent beefing up Drupal's xml-rpc implementation, so maybe that's working now, whereas the implementation used by Wordpress is vulnerable and failing. TFA is a little light on details as to the technical source being manipulated and abused.

I don't know that Drupal is necessarily immune, to does have send pingback [drupalcontrib.org] in the XMLRPC API. Unless it has something to secure this against unauthorised callers then it could be vulnerable too.

Re:The post alludes to a flaw in xml-rpc, but... (1)

SpzToid (869795) | about 7 months ago | (#46462013)

Good point although I notice your citation is to version 5 of Drupal which is no longer supported. But it was simple for me to see that the same pingback module also exists in Drupal core version 6, but not in the current Drupal version 7, (or upcoming version 8).

So upon reading your comment and considering the matter a little further, methinks this is simply an old-tech issue and folks need to keep their systems modern, especially in light of today's DDOS news.

Re:The post alludes to a flaw in xml-rpc, but... (1)

tlhIngan (30335) | about 7 months ago | (#46464293)

I don't know that Drupal is necessarily immune, to does have send pingback in the XMLRPC API. Unless it has something to secure this against unauthorised callers then it could be vulnerable too.

I'm sure there are ways to mitigate the problem - a pingback is merely a mention. No one said it couldn't be rate-limited or anything (and if the queue gets too big, well, start dropping requests or ignoring them - is it really important that some popular article has a billion pingbacks over a billion and one?). And the rate limit could also apply to source site - there really shouldn't be more than a few pingbacks from some site (at most one per post per site).

Re:The post alludes to a flaw in xml-rpc, but... (1)

helix2301 (1105613) | about 7 months ago | (#46462515)

We turn off comments and pingbacks because of just the pure amount of spam we were constantly dealing with on a regular basis. I agree this looks like a Wordpress flaw not an xml-rpc issue drupal or dotnetnuke are not having the same issue on there platforms.

Re:The post alludes to a flaw in xml-rpc, but... (1)

LordThyGod (1465887) | about 7 months ago | (#46465105)

We turn off comments and pingbacks because of just the pure amount of spam we were constantly dealing with on a regular basis. I agree this looks like a Wordpress flaw not an xml-rpc issue drupal or dotnetnuke are not having the same issue on there platforms.

That's probably because the ratio of dotnetnuke blogs with pingbacks enabled vs wordpress blogs with pingback enabled is a *illion to 1 or so. And if you were trying to use an amplification technique, dotnetnuke blogs probably isn't a good choice. You either use pingbacks or not. I don't believe there is a way to say "hey this is a good pingback from random stranger and this other one from random stranger2 over here is for malicious purposes". And probably one reason you don't want something to get too popular. Then it becomes a vehicle for stuff just because of its popularity. I host quite a few wordpress sites, and haven't seen any unusual traffic, so they are probably targeting large shared hosting operations with lots of WP sites.

nothing new (1)

Zurd3 (574979) | about 7 months ago | (#46461889)

pingback and trackback are features of WordPress, also known as "remote comments", they are quite usefull to boost the popularity of your website if someone post the URL of your WordPress blog. As Matt Mullenweg from the WordPress project said, there's cheaper, easier and more effective ways to DDoS site. I'm going to let that feature enabled in my sites.

Re:nothing new (1)

wordsnyc (956034) | about 7 months ago | (#46461961)

Which makes you wonder how seriously to take his comment. After all, someone apparently found it cheap, easy and effective to use xml-rpc to commandeer 162,000 WP installations.

Re:nothing new (2)

SpzToid (869795) | about 7 months ago | (#46462039)

Not to mention the sheer bandwidth of those 162,000 *** SERVERS ***!

Low-budget data-centers and co-hosts must be shitting bricks right about now when/if they max out their wholesale bandwidth contracts.

We're possibly talkin' about more bandwidth than the proverbial Volvo station wagon full of hard disks and tape screamin' down the freeway at 55mph.

Re:nothing new (-1)

Anonymous Coward | about 7 months ago | (#46462939)

Not to mention the sheer bandwidth of those 162,000 *** SERVERS ***!

A whole HUNDREDS of requests a second! Why, that's enough to bring even slashdot to its knees!

Re:nothing new (1)

inasity_rules (1110095) | about 7 months ago | (#46462069)

I immediately turned off the feature on our site. I don't care about it anyway - and my hosting provider seems a little bit daft(need to change them out). According to them we were on the receiving end of a DDOS and their default response is to basically ban all incoming traffic from entire IP ranges, making the website effectively inaccessible from anywhere outside the country(then why have a website at all?). I do not want to give them any excuse to blame me. We were not the target of this specific attack, unless some script kiddies have it in for random small automation companies, which seems unlikely to me.

Re:nothing new (0)

Anonymous Coward | about 7 months ago | (#46462109)

I also turned it off pretty quick, as I discovered that almost all pingback comments was various sorts of spam and/or search engine optimization of sites unrelated to the topic of the post.

Re:nothing new (5, Insightful)

Anonymous Coward | about 7 months ago | (#46462331)

Spoken like a true SEO.
Pingback is worthless and only clutters the hell out of a sites comments. nobody cares that muffymuffins.org reshared my content..

Re:nothing new (2)

sunderland56 (621843) | about 7 months ago | (#46464057)

pingback and trackback [...] are quite usefull to boost the popularity of your website

A DDOS just means that your website is *very* popular at the moment. So those under attack should be extremely happy, right?

Wordpress is crap (1, Insightful)

Anonymous Coward | about 7 months ago | (#46461993)

Dear internet, please quit using wordpress. It's constantly full of poor programming practices and it's basically the Microsoft Windows XP of blogging software.

Re:Wordpress is crap (1)

HybridST (894157) | about 7 months ago | (#46462259)

XP is decent for its time and is still sufficient for some purposes(firewalled etc.)

I think parent wanted (Wordpress==WinME).

Re:Wordpress is crap (0)

Anonymous Coward | about 7 months ago | (#46468239)

I have to give XP credit. After using it for 5 years, it finally made me switch to Linux.

Re:Wordpress is crap (0)

Anonymous Coward | about 7 months ago | (#46462611)

If you're going to post a "quit using it" post, you'd be well-served to follow up with "allow me to suggest..."

Re:Wordpress is crap (0)

Anonymous Coward | about 7 months ago | (#46462847)

Yawn.

Now go 'way, beotch.

Re:Wordpress is crap (1)

Krojack (575051) | about 7 months ago | (#46464911)

As is most (or all) CMS packages. Either way you won't see anyone stop using it. CMS packages are a quick install, easy to manage and well... free. Do you want every person or company to pay some programmer thousands of dollars to custom write a site for them? It's highly likely that this custom site will have more bugs and exploits in it anyways.

So what's your solution?

Re:Wordpress is crap (0)

Anonymous Coward | about 7 months ago | (#46465641)

They don't have one.

(People like that idiot love the coattails of those who do, however...)

Re:Wordpress is crap (0)

Anonymous Coward | about 7 months ago | (#46467143)

It's highly likely that this custom site will have more bugs and exploits in it anyways.

Fragmentation! Android fragmentation is why there are so few Android apps, so bug fragmentation will keep exploits low and websites safe!

(Yes, this is sarcasm).

Re:Wordpress is crap (1)

Dracos (107777) | about 7 months ago | (#46470345)

I agree, WP is shit from end to end. Poor practices, horrible architecture, and just generally bad code quality... pretty much the most offensive plate of spaghetti I've ever seen. It's almost worse that many people now insist that WP is a CMS, rather than just a blog playing dress-up.

What's the issue here? (1)

Bogtha (906264) | about 7 months ago | (#46462183)

For attackers, the advantage of abusing the WordPress pingback feature in this manner is that they can spread their attacks over a large number of unique IP addresses, making it harder for the targeted sites to block them, Cid said. "It does not amplify the bandwidth utilization, but the scale and reach of the attack."

From the description of the issue, all that seems to be happening here is that an attacker makes an HTTP request to a third-party blog that supports Pingback, and that blog makes an HTTP request to the target. As stated, there's no amplification, so all this appears to be doing is masking the source of the attack.

To what is he referring when he says that it amplifies the "scale and reach" of the attack?

Re:What's the issue here? (-1)

Anonymous Coward | about 7 months ago | (#46462315)

Well, what about the Saudi Gay Pride leader (famous for his downloaded Queen discography)????
He was singing along with the tracks, ignorant of the ACTA/SOPA bugs embedded in his mp.3 cd playing in his Volkswagen Phaeton.
Little did he (or the crooked authors of ACTA/SOPA) know that it wasn't the copyrights they were after... "they" wanted him compromised because he was extremely outspoken, and aware of AIPAC.

Sadly, the ACTA/SOPA Trojan caused the automotive processors to fail, and the car malfunctioned, ending his life and his WordPress blog.

Phuk PHORM, phuk ACTA/SOPA, and phuck beta!
oh, yeah, "fuck AIPAC"

Who still uses "pingback"? (3, Insightful)

Lumpy (12016) | about 7 months ago | (#46462317)

That is the first thing I turn off on any Wordpress install. pingback is the absolute worst feature ever made.

Re:Who still uses "pingback"? (0)

Anonymous Coward | about 7 months ago | (#46462363)

no ITs not, you looser, it`s BETA!
Fuck BETA!
(errr... and FUCK AIPAC!)

Re:Who still uses "pingback"? (1)

Lumpy (12016) | about 7 months ago | (#46462713)

Hack the planet!

Re:Who still uses "pingback"? (0)

Anonymous Coward | about 7 months ago | (#46462717)

"Pingback?"

1997 just called - it wants its word back.

Re:Who still uses "pingback"? (3, Interesting)

Megane (129182) | about 7 months ago | (#46464729)

I know that I, for one, just love seeing a blog where half the comments are stupid trackbacks to some even more mindless vanity blogger. NOT. Agreed, the absolute worst feature ever made. It wasn't even a good idea back when The Web[tm] was young, and people would "share links". Remember that?

Not to mention the obvious SEO spam ("You have a such great web site! This was so informative! Thank you for your post!") that never gets removed, even when the blogger is still replying to posts. It's not just luser bloggers, either, I've seen this on Bunnie Huang's blog! If I ever have a blog, I'm stealing the "all threads automatically close after two weeks" idea from Slashdot.

The demise of the internet (0)

Anonymous Coward | about 7 months ago | (#46468351)

The whole ideal of sharing ideals and thoughts is going away from the internet. Because of things like this. I remember the days of bulletin boards and now we have better ways to communicate but we also have more malicious people out there. I though the internet was going the direction of a two way street. But maybe we are going back to a time when the internet was just about accessing information.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?