And as for actual WordPress pingbacks .... you should probably switch 'em off

Patch adds warning label nobody reads


More than 26,000 WordPress sites have been enslaved and used in a recent distributed denial-of-service attack campaign using a vulnerability first described in March 2014.

The layer seven attacks exploit the pingback feature activated by default on WordPress sites, which informs other sites when they have been linked to. Those pingbacks can be abused to flood sites.

WordPress pushed a fix April 2014 in version 3.9 and later which added IP addresses logs that show the origin of pingbacks, but attackers don't seem to mind.

Sucuri malware analyst Daniel Cid says the attacks represent about 13 per cent of distributed denial of service attacks hitting its customers.

"Despite the potential reduction in value with the IP logging, attackers are still using this technique often enough," Sid says.

"Since the attack is coming from thousands of different IPs, network-based firewalls will do little to stop the attacks as they only do rate limiting per IP address."

Cid says in one case alone, 26,000 WordPress sites were abused to generate a sustained pingback stream of up to 20,000 HTTPS requests per second against one website.

Stats showing attacks originating from various providers.

Stats showing attacks originating from various providers.

The attack, which uses more resource-intensive HTTPS, is one that few servers could handle – even with load balancers and proxies in place.

While the IP-address logging patch helps, it is far from a mitigation since few WordPress admins check their user agent logs. Cid recommends the pingback feature be turned off to reduce the resources available to attackers.

In 2014, WordPress pingback attacks included more than 162,000 machines. ®

Similar topics


Other stories you might like

  • NASA installs a new and improved algorithm to better track near-Earth asteroids

    Nearly 20 year-old software used to protect humanity gets an upgrade

    NASA has upgraded its near-Earth asteroid monitoring algorithm to model hazardous space rocks more accurately after nearly two decades, it announced on Tuesday.

    The new system, dubbed Sentry-II, is more powerful than its predecessor, Sentry. Astronomers working at the space agency's Center for Near Earth Object Studies can now automatically calculate thermal influences that nudge an asteroid’s orbit, potentially sending it hurtling towards our home planet.

    The so-called Yarkovsky effect describes the subtle and gradual change of motion when asteroids are heated by the Sun’s light. When asteroids spin, one side of its surface exposed to the star gets heated. As it continues to rotate, the hot region enters shade and cools down. Infrared energy is radiated outwards; the photons carry momentum and impart a tiny thrust on the asteroid. Over long periods of time, these small kicks can change their paths and knock them out of their original orbit.

    Continue reading
  • Facebook slapped with an eyepopping $150B lawsuit for spreading hate speech against Rohingya refugees

    Lawsuit claims social media giant's algos helped Myanmar military crackdown on the Rohingya

    Meta was sued on Tuesday for a whopping $150 billion in a class-action lawsuit for allegedly amplifying hate speech and aiding the Myanmar military in the genocide of the Rohingya people.

    The case, led by an anonymous Rohingya refugee living in the US, accuses the entity formerly known as Facebook of inciting hatred and inflicting real harm on the predominantly Muslim group for years. Not only did the social media platform ignore hate speech posts, it's alleged that the service's algorithms actively promoted anti-Rohingya propaganda as hundreds of thousands of people fled from Myanmar to escape persecution.

    Facebook has already acknowledged its role in the campaign, which saw an estimated 25,000 people perish and 700,000 forced from the country. The lawsuit also comes after ex-employee and whistleblower Frances Haugen leaked internal documents demonstrating how its algorithms prioritized engagement over safety.

    Continue reading
  • Power management IC shortage holding cars, laptops, hostage

    Couple of cents-worth of kit causing big problems for the year to come

    The shortage of power management chips is worsening and holding back companies from building cars, PCs and items with batteries or an on-off switch, Trendforce said in a study this week.

    Power management ICs cost just a few cents, and are among cheap chips that include display driver and USB-C components that are in short supply. These chips are as important to PCs and other electronics as CPUs or memory.

    The demand for PMICs has gone through the roof with the emergence of electric cars and growing demand for PCs and consumer electronics during the past 20 plus months. Trendforce expects the prices will go up by 10 per cent to a six-year high of $0.23.

    Continue reading

Biting the hand that feeds IT © 1998–2021