Hackers leverage 26,000 WordPress websites in massive DDoS attack

Website owners urged to switch off Pingback function to prevent layer 7 hack

A padlock against a golden background to represent cyber security

Hackers are abusing the 'pingback' function used in many WordPress websites to launch DDoS attacks against their victims.

In a blog post, IT security firm Suruci said that rather than hackers using DDoS to throw the websites offline by bombarding them with a huge number of packets, this type of attack was more precise, taking advantage of the pingback feature that generates a comment on a blog when someone else with pingback enabled links to it.

"Layer 7 attacks (also known as HTTP flood attacks) are a type [of] DDoS attack that disrupts your server by exhausting its resources at the application layer, instead of the network layer," said Daniel Cid, CTO at Sucuri.

"They do not require as many requests or as much bandwidth to cause damage; they are able to force a large consumption of memory and CPU on most PHP applications, CMSs and databases."

The firm said that hackers were using the technique in a new campaign that used a botnet comprising 26,000 WordPress websites. While it did not identify the victims, the company admitted this type of DDoS attack comprised 13 per cent of all DDoS against its clients.

Cid explained these websites were being used to generate a sustained rate of 10,000 to 11,000 HTTPS requests per second against one website.

"At some intervals, the attack would peak to almost 20,000 HTTPS requests per second. The attack started at 1pm (EST) and by midnight it was still ongoing," he said.

"Very few servers would be able to handle such a load, even with proxies and load balancers configured. Especially when talking about HTTPS requests which tend to use more CPU to establish the SSL session."

Such attacks accounted for around 13 per cent of all DDoS attacks the firm tracked for clients, according to Cid.

He added that while WordPress now logged the attacker IP address on newer releases, he was still recommending that WordPress websites disable pingbacks.

"It won't protect you from being attacked, but will stop your site from attacking others," he said.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021