Hackers leverage 26,000 WordPress websites in massive DDoS attack
Website owners urged to switch off Pingback function to prevent layer 7 hack
Hackers are abusing the 'pingback' function used in many WordPress websites to launch DDoS attacks against their victims.
In a blog post, IT security firm Suruci said that rather than hackers using DDoS to throw the websites offline by bombarding them with a huge number of packets, this type of attack was more precise, taking advantage of the pingback feature that generates a comment on a blog when someone else with pingback enabled links to it.
“Layer 7 attacks (also known as HTTP flood attacks) are a type [of] DDoS attack that disrupts your server by exhausting its resources at the application layer, instead of the network layer,” said Daniel Cid, CTO at Sucuri.
“They do not require as many requests or as much bandwidth to cause damage; they are able to force a large consumption of memory and CPU on most PHP applications, CMSs and databases.”
The firm said that hackers were using the technique in a new campaign that used a botnet comprising 26,000 WordPress websites. While it did not identify the victims, the company admitted this type of DDoS attack comprised 13 per cent of all DDoS against its clients.
Cid explained these websites were being used to generate a sustained rate of 10,000 to 11,000 HTTPS requests per second against one website.
“At some intervals, the attack would peak to almost 20,000 HTTPS requests per second. The attack started at 1pm (EST) and by midnight it was still ongoing,” he said.
“Very few servers would be able to handle such a load, even with proxies and load balancers configured. Especially when talking about HTTPS requests which tend to use more CPU to establish the SSL session.”
Such attacks accounted for around 13 per cent of all DDoS attacks the firm tracked for clients, according to Cid.
He added that while WordPress now logged the attacker IP address on newer releases, he was still recommending that WordPress websites disable pingbacks.
“It won’t protect you from being attacked, but will stop your site from attacking others,” he said.