Distributed Denial of Service attacks have increased in scale, intensity and frequency. The wide range of motives for these attacks political , criminal, or social makes every merchant or organization with an online presence a potential target.
Over the weekend Incapsula mitigated a unique DDoS attack against a large gaming website, in which they have discovered a DDoS attack using thousands of legitimate WordPress blogs without the need for them to be compromised.
Incapsula released the list of approximately 2,500 WordPress sites from where the attack was originated, including some very large sites like Trendmicro.com, Gizmodo.it and Zendesk.com.
In a recent report, we posted about another method for DDoS attacks using DNS amplification, where a DNS request is made to an open DNS resolver with the source IP address forged so that it is the IP address of the targeted site to which the response is thus sent, but this new method uses HTTP rather than DNS.
The attack makes uses of a feature in the WordPress blogging platform called 'pingback', which allows the author of one blog to send a 'ping' to a post on another blog to notify the latter that it has been referenced. It turns out that most WordPress sites are susceptible to this abuse. Since this feature is enabled by default, and there is no protection mechanism within WordPress against it.
The Pingback mechanism has been known to be a security risk for some time. Late last year a similar vulnerability was discovered that could turn third party blogs into a powerful port-scanning engine. The vulnerability (CVE-2013-0235) was fixed in in Wordpress 3.5.1, by applying some filtering on allowed URLs.
However, in this case the requests do not appear to be amplified, which means the attackers would have to be able to control a large botnet in order for such attacks to be successful. Incapsula also added that all website using Incapsula are protected from such abuse.