DDoS Attack Case Study | WordPress Pingback Reflection Attack

Category: Others/ Misc

Presentation Description

http://bit.ly/1pBadhD | The WordPress pingback function can be abused in powerful reflection attacks to flood a victim site with connections. Learn how this attack vector works and what you need to do to prevent your sites from participating in these attacks in the full Prolexic Q1 2014 DDoS attack report, available for a free download at http://bit.ly/1pBadhD.


Presentation Transcript

Case Study: A Reflected Application DDoS Attack:

Case Study: A Reflected Application DDoS Attack WordPress Pingback


Overview PLXsert has observed abuse of the WordPress pingback function in recent DDoS attack campaigns This reflected application attack vector exploits a vulnerability in WordPress function WordPress applied fixes to prevent this attack, but reflection techniques still allow DDoS attackers to abuse it

Characteristics of the WordPress pingback attack:

Characteristics of the WordPress pingback attack Pingback is an automated function that notifies the website admin when their posts or docs are linked by other websites Attackers abuse this by crafting pingback requests that redirect the responses to the target of the malicious actor This attack relies on the use of many victim WordPress websites with the pingback function turned on

Characteristics of the WordPress pingback attack (cont):

Characteristics of the WordPress pingback attack (cont) During an attack, hundreds of thousands of victim WordPress sites could be abused to generate pingback requests to the target site The attack vector succeeds by exhausting the number of connections to the target site, overwhelming the target with bandwidth floods

How does the WordPress pingback attack work?:

How does the WordPress pingback attack work? Malicious actors send custom POST requests to an intermediary WordPress site These POST requests are spoofed appearing to come from target site Pingback response is then reflected back at the target

Actual campaign from Q1 2014:

Actual campaign from Q1 2014 One campaign targeting an Internet media company peaked at 50,000 connections per second and lasted nearly 9 hours This attack was based entirely on the WordPress pingback vector

Traffic distribution of real attack:

Traffic distribution of real attack

Pingback best practices:

Pingback best practices The WordPress pingback attack is not new, but has recently regained popularity Administrators are strongly encouraged to disable this pingback feature However, many WordPress sites cannot afford to abandon this feature, and there may be no alternative services available DDoS mitigation in this case is a daunting task – but well managed by specialized mitigation providers such as Prolexic

Q1 2014 Global Attack Report:

Q1 2014 Global Attack Report Download the Q1 2014 Global DDoS Attack Report The Q1 2014 report covers: Detection rules for WordPress pingback attacks Analysis of recent DDoS attack trends Breakdown of average Gbps/Mpps statistics Year-over-year and quarter-by-quarter analysis Types and frequency of application layer attacks Types and frequency of infrastructure attacks Trends in attack frequency, size and sources Where and when DDoSers launch attacks Case study and analysis

About Prolexic:

About Prolexic Prolexic Technologies, now part of Akamai, has successfully stopped DDoS attacks for more than a decade Our global DDoS mitigation network and 24/7 security operations center (SOC) can stop even the largest attacks that exceed the capabilities of other DDoS mitigation service providers

authorStream Live Help