WordPress Pingback Attacks and our WAF

by Simon Moore.

At CloudFlare a lot of our customers use WordPress, that's why we have our own plugin, we hang out at WordCamp and we wrote a WordPress specific ruleset for our Web Application Firewall.

WordPress' ubiquity on the web can make it an ideal target for Layer 7 attacks, and its powerful features as a blogging platform can be demanding on small web and database servers, meaning Layer 7 attacks can be effective in making a WordPress server go offline using a relatively low number of requests.

Recently the guys at Sucuri observed a large DDoS using WordPress' pingback mechanism. A pingback is a way of one website telling another that it has linked to their content. We’ve seen this attack in the past and already had WAF rules in place to block it.

WordPress exposes an XMLRPC endpoint - xmlrpc.php - which other sites can make POST requests to in a standard format to inform a blog that their content has been linked to. The message it sends contains the blog link they referred to, and the page on which they placed that link.

When WordPress receives a pingback, it makes a request back to the source page to check that the link is actually there. Attackers can use this mechanism to specify a genuine link on a WordPress site and an intended victim, which will trigger a HTTP request to the victim's site. You can think of this as a kind of HTTP Reflection attack, in that the attacker can send a relatively small request to an XMLRPC endpoint that supports pingbacks, and trigger a much larger amount of effort and response on the victim's server.

Fortunately, our WordPress WAF rule WP0001 "WordPress Pingback Blocker" will immediately stop your WordPress blog from being used for this type of pingback abuse. If you run WordPress, you may want to consider enabling this today.

CloudFlare WAF rules for WordPress

You can find the “CloudFlare WordPress” ruleset under the CloudFlare Settings > Security > Manage WAF section, toggle the switch to turn the CloudFlare Wordpress ruleset on, and you’re all set.

For an added sting in the tail, the attack Sucuri observed also used a mutating query string when specifying a URL on which they had placed a link. This bogus mutating URL will neutralise most caches and means a server has to expend the effort of producing a page from scratch over and over again. Fortunately we also have CloudFlare WordPress rule 100000 "WordPress Numbers Botnet" which will block this type of behaviour.

So whether your blog is used to attack others or to be attacked itself, our WAF can help. For more information on our WAF visit https://www.cloudflare.com/waf

comments powered by Disqus