Here’s an interesting one for you bloggers: Your favorite WordPress pingback feature can be used to carry out DDOS attacks. This Monday, Internet security company Sucuri published a blog post detailing the technical specifics of a distributed denial of service attack on a client who runs a popular WordPress website. After a bit of investigation, they found that the site had been incapacitated by “162,000 different and legitimate WordPress sites.”
What is a DDOS?
When you visit a website, you are essentially using your computer to request packets of information from another computer. The computer that “serves” you those requested info-packets is called the server. In essence, a distributed denial of service attack, or a DDOS, works by sending a server more requests than it can handle, until it is overwhelmed and breaks down.
Another good way to think about a DDOS attack is to compare it to an overwhelmed waiter at a restaurant. For most waiters, handling a few tables at once is just fine; but, after a certain point too many customers and too many orders will inevitably overwhelm them. Like the human brain, a computer can only handle so many tasks at once. DDOS attacks intentionally take advantage of this limitation to incapacitate servers, and in turn shut down the websites they are serving. This can be very problematic for owners of large websites that engage in eCommerce because every minute their website is down equates to a minute where they could have made a sale.
The WordPress Vulnerability
The DDOS attack reported by Sucuri leverages WordPress vulnerability CVE-2013-0235, which was first identified in July 2013. Normally, WordPress pingbacks allow bloggers to generate cross references between websites. These cross references allow bloggers to give credit where credit is due and also track who is referencing their own website. All of this requires communication between the servers hosting each website involved and the transmission of data packets. CVE-2013-0235 allows an attacker to create fake pingbacks from one website to another. This means that Website A can be remotely commanded to ping Website B for a data packet. Command Websites C-Z to do the same, and suddenly Website B is getting a lot of requests. Command 100,000+ Websites to send requests as well, and now Website B is out of commission.
Preventing False Pingbacks
The problem with WordPress pingbacks is that they are vulnerable by design. In fact, web developers have known that XML-RPC – the technology that allows for pingbacks – has been vulnerable to DDOS attacks for years. As such, there’s currently a bit of debate over how to resolve the issue.
One potential solution posited by Sucuri is to disable XML-RPC entirely, by inserting a short bit of code into your WordPress website’s theme file. While this will work, many developers have been quick to point out that it will also remove cross referencing from your blog entirely, which is an essential marketing feature for many business websites. Many, including WordPress founder Matt Mullenweg himself, have also pointed out that “there are cheaper, easier, and more effective ways to DDOS sites” and that pingback pros far outweigh pingback cons.
The good news is that WordPress is a versatile CMS and that CVE-2013-0235 – and most other bugs – can usually be remedied through custom workarounds implemented by knowledgeable developers. Accordingly, anyone with questions or concerns about this vulnerability is encouraged to comment below, as this very blog runs on WordPress and is maintained by a talented team. The XML-RPC debate may be ongoing and officially “unsolved”, but if you’re running a website with WordPress and feel you may be vulnerable, Emsisoft is always here to offer support.
Have a Great (DDOS-Free) Day!
As always, independent security blogger Brian Krebs has posted some quality information and advice pertaining to this recent vulnerability. According to Krebs, his WordPress powered blog actually fell victim to a DDOS pingback attack 42,000 sites strong. Krebs has posted a full list of sites involved in the attack and technical steps to mitigation at the KrebsOnSecurity blog.