In a unique approach towards an ever more common style of attack, DDoSing, someone has managed to use the Pingback function of WordPress sites in order to DDoS sites that they wish to crash. Over at the Sucuri Blog, they explain exactly what happened and how nearly 162,000 unwitting WordPress blogs had effectively assisted in the DDoSing of multiple websites. While not all of the 162,000 blogs had necessarily been used at once, some people reported upwards of 42,000 at a time in order to take down sites that they didn’t like (or whatever their motivation was for the DDoS).
In fact, we first heard about this attack when security researcher Brian Krebs’ own site was attacked by 42,000 of these WordPress blogs that were clearly unaware of their involvement. The Sucuri Blog as well as Brian’s own blog explain how the attacks occurred and how to prevent them in the future, to not be part of the problem. Simply explained, 162,000 WordPress blogs and websites that have Pingback functionality enabled can be used in DDoS attacks against other sites. An attacker can use thousands of popular and clean WordPress sites to perform such a DDoS attack, while remaining almost entirely undetectable. A simple solution is that bloggers can disable pingback by going into their settings and then discussion and unchecking a few options. However, there are some WordPress plugins that also disable this functionality if you can’t do it via settings.
The people at OpenDNS even have some useful information about the WordPress DDoS that occurred of multiple websites. This type of attack appears to have never been used before in such a massive scale and as such, it doesn’t appear that WordPress has Pingback disabled by default, in fact they have it enabled by default. Whomever created this new form of DDoS attack must have been aware of this default value in WordPress’ own blog software and decided to exploit it once they had found enough sites that had it on by default. The result was that 162,000 WordPress blogs participated in multiple DDoS attacks across the internet and I have a feeling that this won’t be the last that we see of such attacks in the future. So, remember, if you’ve got a WordPress blog, you should probably disable Pingback or at least have some precautionary measures mentioned in all of the links provided to not be a part of the problem.