Anatomy of an attack

At the beginning of this week my server became a target for a DDoS attack which eventually caused a massive overload. Therefore all websites on the machine where temporary not avaible any longer. The goal of this attack was obviously an attempt to exploit the pingback vulnerabilty of WordPress which already had been reported in March.

Update 2014-08-07: In fact it’s more likely that a problem in PHP in the context of XML had been exploited, also see this post about the details.

Within a short time period tenthousands of POST requests targeting xmlrpc.php had been executed. As a result the server had a load of 180 (usually the values are between 0.5 and 1.5) and memory consumption of about 30 GB (instead of 5-6 GB) and therefore was virtually not available any longer.

Munin diagram, Apache

Since my websites doesn’t allow pingback nor trackback the impact of this attack was fortunately limited to my server. There was also no dataloss or any manipulation.

As a first workaround the access to xmlrpc.php was restricted so that I still can use it in my own applications but attackers won’t cause problems any longer. Any access in the pattern like http://arnowelzel.de/xmlrpc.php or http://arnowelzel.de/wp/xmlrpc.php will now be denied with status 403.

The attack continued for a couple of hourse – but due to this workaround it didn’t have any effect any longer.

Leave a Comment

Your email address will not be published. Required fields are marked *