How to Prevent WordPress Bounce Attacks with an Old yet Powerful Trick

简介: Bounce attacks are a very tricky type of DDoS attacks. However, we can learn a lot from it when we take a deep dive into its technical make up and can

719a54b120d04bf3e9c49c28259f218294c611e5

Bounce attacks are a very tricky type of DDoS attacks. However, we can learn a lot from it when we take a deep dive into its technical make up and can better understand the logic and features of a bounce attack. This article aims to offer a bit more insight into bounce attacks and how to protect against them.


Bounce Attacks – A Background

For those who don’t know much about bounce attacks, let’s take a little time to get to grips with them. Bounce attacks are a DDoS attack with use the ‘leverage effect’ to cause greater damages. This means a hacker can create a heavy traffic attack with just a small number of requests. To put that into perspective, a hacker carrying out a bounce attack uses only around 1 GB of requests to create a bounce attack of up to 10 GB in traffic. Through concealment, the source IP address of a bounce attack is hidden owing to the mechanism of the attack. From a recipient's perspective, the source IP address of the attack shows as the IP address of a reflector.

Early on, attackers initiating bounce attacks such as SYN bounce attacks, change the source IP addresses of SYN packets to the IP addresses of the recipients and send the packets to many servers (which are the reflectors). The servers return SYN/ACK messages to the recipients according to the three-way handshake rules. In this case, a large number of unexpected SYN/ACK messages are sent from various IP addresses to the victims, creating SYN/ACK-based DDoS attacks. This is rarely used nowadays because it causes a high cost to the hackers and many servers have been protected against such attacks. However, the logic of this type of attack has a profound influence. Hackers have been exploring a great variety of reflectors and increasingly amplifying the effect on them.


What are ‘Reflectors’?

The criteria regarding reflectors are as follows:

1. Reflectors must be widely distributed and large in quantity.

2. There must be a function, vulnerability, module, or interaction mechanism that enables "bounce".

It is noticeable that in recent years, the DNS servers, NTP servers, and SSDP devices widely deployed across the internet have been used intentionally by hackers as reflectors. The DDoS attacks initiated with these reflectors have emerged account for a large proportion of DDoS attacks over the past few years. Although these reflectors work on L7, they mainly leverage heavy traffic to cause network congestion, which is basically similar to attacks with large UDP packets. 

Therefore, you can protect against such attacks simply by using ACL to disable the ports of reflectors (such as the UDP 1900 ports of SSDP devices and UDP 123 ports of NTP servers), or by filtering out the typical fields for initiating the attacks (such as uuid for initiating attacks with SSDP servers).


Bounce Attacks on WordPress

Now that we’ve covered the logic and background behind Bounce Attacks, lets take a look at on WordPress specific Bounce Attacks. Unlike the other bounce attacks such as NTP bounce attacks, a WordPress bounce attack is carried out on layer 7, making it a type of CC attack. WordPress bounce attacks have been reported from as early as 2014. According to the results of detection of DDoS attacks on Alibaba Cloud Security users, WordPress bounce attacks still account for a large proportion of CC attacks and generally are able to exhaust the processing capacity of a common site with a low cost and light traffic (compared with traffic-dependent bounce attacks).


Bounce Attacks on WordPress: Unique Traits

Considering that a WordPress bounce attack has unique traits, let’s quickly go over its unique characteristics.

WordPress, as I’m sure you all know, is a popular blog platform on which about 20% of all the websites around the world are built on. WordPress bounce attacks use millions of these websites from across the internet which satisfy reflectors criterion 1 (as mentioned previously), and the pingback mechanism provided by a module named XML- RPC which satisfies criterion 2 (also mentioned above).

The pingback mechanism originally serves as a means to notify a website system of article referencing. At a simple POST request, the mechanism sends a reference link and reference page content to a referenced site or blog. Upon receiving a pingback request, WordPress automatically returns a response to the source page to verify the reference link. Using this mechanism, attackers can specify target addresses and construct pingback requests containing valid links to achieve the bounce effect for CC attacks. Such a request can be constructed simply with the curl command. Therefore, it is quite easy for an attacker in possession of a certain number of WordPress websites to carry out the attack on multiple targets.

Here is a screenshot of a WordPress bounce attack on a website detected by Anti-DDoS Pro.

d04bbc723e470267fe32fb9e2c8841fb29a5d722

The above figure indicates that the pingback request was sent from an IP address in Chile. At present, there are millions of such requests from around the world, and many of them are sent from South America, North America, and the Chinese Mainland.

The following protection log of Anti-DDoS Pro shows that about 120,000 such requests were detected within 5 minutes. This example from Alibaba Cloud Security allows you to understand the larger picture of CC attacks on users in a day.

82a70dc1f52536bff9896185e9a7adbb7f777811

According to the preceding introduction, when a WordPress bounce attack is carried out, the user-agent request must include the WordPress or pingback field, while the source IP address may be variable. These characteristics allow us to protect against the attacks simply by rejecting the requests that contain the fields (similarly, ACL is used to protect again NTP bounce attacks by disabling UDP port 123.)

How to Detect and Prevent WordPress Bounce Attacks:

1.Take Nginx as an example. When it is suspected that a website is under CC attack (challenge collapse attack), you can tail log files to check whether a large number of requests containing the pingback field have been generated. Alternatively, you can use the following command to collect the statistics:

f04d0820fc3b3075476c812f7c2a88434232af9c

2. When such attacks are detected, open the Nginx configuration file of the website (/etc/nginx/nginx.conf or /etc/nginx/sites-enabled/your-site depending on the specific Nginx and Linux versions), locate the server definition, and add the following if statement (case-sensitive) to somewhere in the server definition: 

141457e1f73245f837ed79be91ce37e5794be48e

3.The preceding statement returns the error 403 (access denied) message when detecting the WordPress or pingback field in a user-agent request. After modifying the Nginx configuration, reload it using the following command:


1c3e9e40d4fa0698c567cbade24d8ca376862212

4. After configuration is complete, you can run the curl or wget command with the specified user-agent request to check whether error 403 messages are received. If yes, the configuration is correct. 


Conclusion

With the above configuration, the server can now block such attacks. Configuring local servers to achieve protection is not applicable to users without O&M knowledge or large-scale CC attacks.

In these cases, it’s recommended to turn to high-performance cloud mitigation services to block these attacks. Currently, the Anti-DDoS Suite from Alibaba Cloud Security supports customized policies for addressing such attacks. In addition, Web Application Firewall (WAF) offers customized rules to enable users to complete simple configuration for protection.

aa1ab8468655190e2d10109ffa0e93bb557eb285



目录
相关文章
|
机器学习/深度学习 自然语言处理 算法
TASLP21-Reinforcement Learning-based Dialogue Guided Event Extraction to Exploit Argument Relations
事件抽取是自然语言处理的一项基本任务。找到事件论元(如事件参与者)的角色对于事件抽取至关重要。
104 0
|
机器学习/深度学习 算法 Shell
Paper:《A Few Useful Things to Know About Machine Learning》翻译与解读(二)
Paper:《A Few Useful Things to Know About Machine Learning》翻译与解读(二)
|
搜索推荐 PyTorch 算法框架/工具
Re30:读论文 LegalGNN: Legal Information Enhanced Graph Neural Network for Recommendation
Re30:读论文 LegalGNN: Legal Information Enhanced Graph Neural Network for Recommendation
Re30:读论文 LegalGNN: Legal Information Enhanced Graph Neural Network for Recommendation
|
机器学习/深度学习 自然语言处理 PyTorch
Re6:读论文 LeSICiN: A Heterogeneous Graph-based Approach for Automatic Legal Statute Identification fro
Re6:读论文 LeSICiN: A Heterogeneous Graph-based Approach for Automatic Legal Statute Identification fro
Re6:读论文 LeSICiN: A Heterogeneous Graph-based Approach for Automatic Legal Statute Identification fro
|
SQL 编译器 API
Efficiently Compiling Efficient Query Plans for Modern Hardware 论文解读
这应该是SQL查询编译的一篇经典文章了,作者是著名的Thomas Neumann,主要讲解了TUM的HyPer数据库中对于CodeGen的应用。 在morsel-driven那篇paper 中,介绍了HyPer的整个执行框架,会以task为单位处理一个morsel的数据,而执行的处理逻辑(一个pipeline job)就被编译为一个函数。这篇paper则具体讲如何实现动态编译。
451 0
Efficiently Compiling Efficient Query Plans for Modern Hardware 论文解读
|
机器学习/深度学习 算法 搜索推荐
Paper:《A Few Useful Things to Know About Machine Learning》翻译与解读(一)
Paper:《A Few Useful Things to Know About Machine Learning》翻译与解读(一)
|
机器学习/深度学习 算法 搜索推荐
Paper:《A Few Useful Things to Know About Machine Learning》翻译与解读(三)
Paper:《A Few Useful Things to Know About Machine Learning》翻译与解读(三)
|
人工智能 自然语言处理 搜索推荐