• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
    • Get the 2022 Cloud Scurity Comparison Guide
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
      • Cyber Threat Categories and Definitions
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Research

WordPress DDoS Visibility from OpenDNS

By Andrew Hay
Posted on March 13, 2014
Updated on October 15, 2020

Share

FacebookTweetLinkedIn

Our friends over at Sucuri posted an interesting blog regarding a Distributed Denial of Service attack (DDoS) where 162,000 WordPress sites were enlisted to attack a single website. Daniel Cid, the CTO of Sucuri, explains the story:

It all happened against a popular WordPress site that had gone down for many hours due to a DDOS. As the attack increased in size, their host shut them down, and then they decided to ask for help and subscribed to our CloudProxy Website Firewall.

Once the DNS was ported we were able to see what was going on, it was a large HTTP-based (layer 7) distributed flood attack, sending hundreds of requests per second to their server.

Daniel and I go way back, having worked at Q1 Labs (now IBM) in addition to co-authoring the OSSEC Host-Based Intrusion Detection Guide with Rory Bray and myself. I reached out to Daniel to see if we could share information and see if OpenDNS observed the attack in some shape or form.

On Saturday, March 9, 2014 (when the attack commenced), OpenDNS tracked 255 unique (4838 total) IP addresses querying for the targeted site – which we shall refer to as “the target”. This caused a noticeable spike in DNS queries that registered well above the normal traffic pattern for the target:

OpenDNS Security Graph

The top 10 most active IP addresses querying the target on March 9 are shown below in an effort to communicate the magnitude:

Top 10 IPs

This includes 3389 IPv4 address (A) records, 1398 IPv6 address (AAAA) records, 5 delegation signer (DS) records, 35 mail exchange (MX) records, and only 1 name server (NS) record.

dns_codeNote: A full description of the various DNS record types can be found here

Daniel also notes that all the requests were coming from valid and legitimate WordPress sites by exploiting the XML remote procedure call (XMLRPC) used for pingbacks, trackbacks, remote access via mobile devices and many other features you’re likely very fond of.

One attacker can use thousands of popular and clean WordPress sites to perform their DDOS attack, while being hidden in the shadows, and that all happens with a simple ping back request to the XML-RPC file:

$ curl -D - "www.anywordpresssite.com/xmlrpc.php" -d 'pingback.pinghttp://victim.comwww.anywordpresssite.com/postchosen'

ShodanBy default, this feature is enabled in all WordPress installs. A quick search on Shodan for

xmlrpc.php

gives us quite a few installations that could potentially be enlisted for future attacks.

On March 12, 2014 Brian Krebs tweeted a link that contained a list of websites used for the attack in question.

After correlating Krebs’ list with our DNS intelligence, we identified 135 IP addresses that were active during the March 9, 2014 12:00 GMT and 16:00 GMT time window and using OpenDNS for name resolution.

Only 104 IP addresses were active at the time of our subsequent research (March 12, 2014 at 8:00 GMT). Of those 104 IP addresses 33 run WordPress with 14 of those having known vulnerabilities that could potentially lead to future compromises if left unresolved. (Note: The quick scanning of the WordPress sites to detect vulnerabilities was performed using WordPress Security Scanner).

Sucuri and OpenDNS recommends adding the following API filter to your WordPress sites to help mitigate this issue:

add_filter( ‘xmlrpc_methods’, function( $methods ) { unset( $methods['pingback.ping'] ); return $methods; } );

More information on working with the WordPress API filter can be found here. Removing

xmlrpc.php

is not recommended, as it will break a number of other features that will use the API.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella