Case Study: A Reflected Application DDoS Attack WordPress Pingback www.prolexic.com
Overview • PLXsert has observed abuse of the WordPress pingback function in recent DDoS attack campaigns • This reflected application attack vector exploits a vulnerability in WordPress function • WordPress applied fixes to prevent this attack, but reflection techniques still allow DDoS attackers to abuse it
Characteristics of the WordPress pingback attack • Pingback is an automated function that notifies the website admin when their posts or docs are linked by other websites • Attackers abuse this by crafting pingback requests that redirect the responses to the target of the malicious actor • This attack relies on the use of many victim WordPress websites with the pingback function turned on
Characteristics of the WordPress pingback attack (cont) • During an attack, hundreds of thousands of victim WordPress sites could be abused to generate pingback requests to the target site • The attack vector succeeds by exhausting the number of connections to the target site, overwhelming the target with bandwidth floods
How does the WordPress pingback attack work? • Malicious actors send custom POST requests to an intermediary WordPress site • These POST requests are spoofed appearing to come from target site • Pingback response is then reflected back at the target
Actual campaign from Q1 2014 • One campaign targeting an Internet media company peaked at 50,000 connections per second and lasted nearly 9 hours • This attack was based entirely on the WordPress pingback vector
Traffic distribution of real attack
Pingback best practices – The WordPress pingback attack is not new, but has recently regained popularity – Administrators are strongly encouraged to disable this pingback feature – However, many WordPress sites cannot afford to abandon this feature, and there may be no alternative services available – DDoS mitigation in this case is a daunting task – but well managed by specialized mitigation providers such as Prolexic
Q1 2014 Global Attack Report • Download the Q1 2014 Global DDoS Attack Report • The Q1 2014 report covers: – – – – – – – – –
Detection rules for WordPress pingback attacks Analysis of recent DDoS attack trends Breakdown of average Gbps/Mpps statistics Year-over-year and quarter-by-quarter analysis Types and frequency of application layer attacks Types and frequency of infrastructure attacks Trends in attack frequency, size and sources Where and when DDoSers launch attacks Case study and analysis
About Prolexic • Prolexic Technologies, now part of Akamai, has successfully stopped DDoS attacks for more than a decade • Our global DDoS mitigation network and 24/7 security operations center (SOC) can stop even the largest attacks that exceed the capabilities of other DDoS mitigation service providers