| |
|
|
| |
|
|
Today I want to talk about a large DDOS attack that leveraged thousands of unsuspecting WordPress websites as indirect source amplification vectors.
Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites. Note that XMLRPC is used for pingbacks, trackbacks, remote access via mobile devices and many other features you?re likely very fond of. But, it can also be heavily misused like what we are seeing.
The story
It all happened against a popular WordPress site that had gone down for many hours due to a DDOS. As the attack increased in size, their host shut them down, and then they decided to ask for help and subscribed to our CloudProxy Website Firewall.
Once the DNS was ported we were able to see what was going on, it was a large HTTP-based (layer 7) distributed flood attack, sending hundreds of requests per second to their server. The requests looked like this:
74.86.132.186 - - [09/Mar/2014:11:05:27 -0400] "GET /?4137049=6431829 HTTP/1.0" 403 0 "-" "WordPress/3.8; http://www.mtbgearreview.com"
121.127.254.2 - - [09/Mar/2014:11:05:27 -0400] "GET /?4758117=5073922 HTTP/1.0" 403 0 "-" "WordPress/3.4.2; http://www.kschunvmo.com"
217.160.253.21 - - [09/Mar/2014:11:05:27 -0400] "GET /?7190851=6824134 HTTP/1.0" 403 0 "-" "WordPress/3.8.1; http://www.intoxzone.fr"
193.197.34.216 - - [09/Mar/2014:11:05:27 -0400] "GET /?3162504=9747583 HTTP/1.0" 403 0 "-" "WordPress/2.9.2; http://www.verwaltungmodern.de"
..
If you notice, all queries had a random value (like ??4137049=643182″) that bypassed their cache and force a full page reload every single time. It was killing their server pretty quickly.
But the most interesting part is that all the requests were coming from valid and legitimate WordPress sites. Yes, other WordPress sites were sending that random requests at a very large scale and bringing the site down.
WordPress Insecure Default Option = Very Large Botnet
Just in the course of a few hours, over 162,000 different and legitimate WordPress sites tried to attack his site. We would likely have detected a lot more sites, but we decided we had seen enough and blocked the requests at the edge firewall, mostly to avoid filling the logs with junk.
Can you see how powerful it can be? One attacker can use thousands of popular and clean WordPress sites to perform their DDOS attack, while being hidden in the shadows, and that all happens with a simple ping back request to the XML-RPC file:
$ curl -D - "www.anywordpresssite.com/xmlrpc.php" -d '<methodCall><methodName>pingback.ping</methodName><params><param><value><string>http://victim.com</string></value></param><param><value><string>www.anywordpresssite.com/postchosen</string></value></param></params></methodCall>'
Yes, that simple command on Linux can start it all. |
|
|
|
| |
|
|
|
| cauz |
March 18, 2014, 10:54 p.m. |
| |
|
|
|
| Frank Zappa |
A composer is a guy who goes around forcing his will on unsuspecting air molecules, often with the assistance of unsuspecting musicians. |
| Lisa Gansky |
The Mesh difference is that with GPS-enabled mobile Web devices and social networks, physical goods are now easily located in space and time. |
| Lisa Gansky |
The mobile Web, location-based services, inexpensive and pervasive mobile apps, and new sorts of opportunities to access cars, bikes, tools, talent, and more from our neighbors and colleagues will propel peer-to-peer access services into market. |
| Joichi Ito |
It would be easy to define terrorism as attacks against human rights and international humanitarian law forbids attacks against innocent non-combatants which is often the definition used for terrorism. |
| Paulo Coelho |
I talk to my readers on social networking sites, but I never tell them what the book is about. Writing is lonely, so from time to time I talk to them on the Internet. It's like chatting at a bar without leaving your office. I talk with them about a lot of things other than my books. |
| Spencer Bachus |
Pre-teens, teens and college students have unlimited access to the Internet - 24 hours a day, seven days a week. Because of the repeated exposure they have to illegal Internet gambling sites, they fall victim by the thousands. |
| G. W. Bailey |
Do I enjoy features? Yeah, I really do. Would I like to do some more features before I head to the barn? Yeah, probably. But I also love television. I love doing television because it's fast, and that I like a lot. |
| Mike Davidson |
Our old site did not have very good support for the disabled, but our new site should soon have much better support. With all of our content in divs now, we can hide all but the relevant chunks of content and navigation with a simple alternate CSS file. |
| Helge Ingstad |
It was very clear that this was a very, very old site. There were remains of sod walls. Fishermen assumed it was an old Indian site. Bu Indians didn't use that kind of buildings and houses. |
| Mike Davidson |
Now that digital lifestyle devices, tablets, wireless phones, and other Internet appliances are beginning to come of age, we need to worry about presenting our content to these devices so that it is optimized for their display capabilities. |
|
|
|
|
|
I WILL DDOS YOUR BUTTHOLE
|
| |
|
|
|
oih yes. also, now a days i run my scripts from a server or even my localhost through WGET and remove the output i use for testing. also another reason i use xml and import into wordpress is because they can manage a database of that sizes efficiency way better than i can. i tried to make a million page site a long time ago and it would take for ever to load my data i put in mysql directly off the scraper
This post is a comment.
|
| |
|
|
|
This is where we'll remind you that the FCC has shown no interest whatsoever in investigating any of this. Similarly, when I contacted the agency to tell them someone else had written a fraudulent comment in my name supporting the attack on net neutrality, I was told there was simply nothing that could be done. Combined with the agency's apparently fabricated DDoS attack, there's more than a few indicators that the agency is eager to malign the integrity of the public feedback period in order to try and downplay the massive public backlash to its handout to the telecom industry.
Since the FCC is expected to unveil its full plan ahead of Thanksgiving for what will likely be a vote right before Christmas, contacting your lawmakers on this subject remains of utmost importance. Should the FCC decide to ignore the public and dismantle the protections anyway, it seems more than likely that thi...
This post is a comment.
|
| |
|
|
|
have more than a half million product urls (which is really the hard part with amazon, they make it extremely difficult for scrapers to crawl their entire site). after cleaning up this list and potentially trying to get even more products, i will continue to modify my php scraper, this time with use for amazon. it rotates through proxies and user agents so it has worked well in google maps, yelp,. and your university's student directories, so it should bypass amazons no problem. my scraper nowadays saves all the data into xml so i can import through certain plugins, but also have a super easy way to convert to any form i need. originally my scraper rotated through tor proxies and saved all data directly into mysql, over time i created sql files for importing and now that wordpress is used so extensively and doesnt recieve penalties in the search engine like it used to, i can just throw all the data in there and make as many copies and variations of the sites as i want. and make it loo...
This post is a comment.
|
| |
|
|
|
Ukrainian Banks, Electricity Firm Hit by Fresh Cyber Attack; Reports Claim the Ransomware Is Quickly Spreading Across the World
A massive cyber attack has disrupted businesses and services in Ukraine on Tuesday, bringing down the government's website and sparking officials to warn that airline flights to and from the country's capital city Kiev could face delays. Motherboard reports that the ransomware is quickly spreading across the world. From a report:
A number of Ukrainian banks and companies, including the state power distributor, were hit by a cyber attack on Tuesday that disrupted some operations (a non-paywalled source), the Ukrainian central bank said. The latest disruptions follo...
|
| |
|
|
|
so here is my seo strategy rn. mind you that most SEO strategy is in the form of a link pyramid in the end. (spam links > middle tier links > hq site)
I have my main site EXAMPLEFIRST.com
this is a super clean, legitimate, beautiful looking site with original/unique content and i've done no shady backlinking on (i.e. blog commenting, forum links, directory submissions, shit like that) and it is a highly branded domain that does not use the full keyword in the url. This site has great, human-readable content that either I wrote myself or paid a writer to create. HQ everythang on this domain.
...
|
| |
|
|
|
I'm really sorry that all of this stuff happened to you sherman. You're gonna be ok. Life goes on. Try to concentrate on the beautiful things and take care of yourself and those you love. You can call me anytime if you want to talk.
This post is a comment.
|
| |
|
|
|
Russia has drafted a bill that blocks anonymous proxies and VPN services that refuse to prohibit access to forbidden websites, Vedomosti wrote citing sources in e-companies and an undisclosed federal official.
According to the publication, the initiative belongs to the Russian Security Council and involves Roskomnadzor and Media Communication Union that unites the biggest network providers. The information has not yet been confirmed officially.
According to the bill, anonymizers and VPN services will be required to block access to resources from Roskomnadzor black list. Besides, it is proposed to prohibit search engines from giving links to the banned content. Violation of this requirement would result in a fine of 700 thousand rubles ($12.400).
...
|
| |
|
|
|
Government Shutdown: TLS Certificates Not Renewed, Many Websites Are Down
More than 80 TLS certificates used by US government websites have expired so far without being renewed, leaving some websites inaccessible to the public. From a report:
NASA, the US Department of Justice, and the Court of Appeals are just some of the US government agencies currently impacted, according to Netcraft. The blame falls on the current US federal government shutdown caused by US President Donald Trump's refusal to sign any 2019 government budget bill that doesn't contain funding for a Mexico border wall he promised during his election campaign. This has resulted in hundreds of thousands of government worke...
|
| |
|
|
|
How to tunnel Internet traffic over SSH in Windows
using free software
This is a basic guide to SSH dynamic port forwarding. It is intended as an introduction to this technology for intermediate to advanced computer users in the hopes that it will be useful. It is not intended to be the best nor most comprehensive guide on the subject. I found a similar document here.
SSH is a protocol for secure (encrypted) communications, most commonly used for remote login sessions to the command line on v...
|
| |