By sending spoofed web requests that appeared to come from the target site, the attacker was able to trick the WordPress servers into bombarding the target site with traffic, effectively knocking it offline.
The attack exploited the XML-RPC protocol the sites running WordPress use to provide services such as pingbacks, trackbacks and remote access through mobile devices.
Researchers at security firm Sucuri counted more than 162,000 legitimate WordPress sites hitting a single, unidentified customer website.
According to the researchers, the number of WordPress sites used in the attack could have been far greater had they not ended the attack by blocking the requests.
Analysis of the attack revealed that it was a large HTTP-based (layer 7) distributed flood attack, sending hundreds of requests per second.
MORE ON DDoS
- More than one-fifth of UK firms hit by DDoS attacks in 2012
- Activists unleash biggest DDoS cyber attack to date
- DDoS attack trends highlight increasing sophistication, larger size
- Business struggling with DDoS and other cyber threats, poll reveals
- A quarter of 2013 DDoS attacks will be app-based, says Gartner
- HSBC back online after DDoS attack
- Police arrest man for DDoS attacks on Theresa May sites
- Five DDoS attack tools that you should know about
- Some activist DDoS attacks growing in sophistication, expert says
- Denial-of-service attacks get easier to set up
- Application-layer DDoS - a new threat vector
“One attacker can use thousands of popular and clean WordPress sites to perform their DDoS attack, while being hidden in the shadows, and that all happens with a simple pingback request to the XML-RPC file,” Daniel Cid, Sucuri CTO, wrote in a blog post.
Unlike network-layer attacks, attacks like this one that target the application layer do not require a lot of bandwidth to be successful, Cid told PC World.
He said the advantage of abusing the WordPress pingback feature in this manner is that attackers can spread their attacks over a large number of unique IP addresses, making it harder for the targeted sites to block them.
This approach does not amplify the bandwidth utilisation, but the scale and reach of the attack, said Cid.
He warned that any WordPress site with pingback enabled (which is on by default) can be used in DDoS attacks against other sites without website owners knowing.
To check, WordPress site owners can look through their logs for any POST requests to the XML-RPC file. “If you see a pingback to a random URL, you know your site is being misused,” said Cid.
To stop a WordPress website from being misused, he said website owners need to disable the XML-RPC (pingback) functionality on their site.
WordPress developers have reportedly downplayed the risk, saying the XML-RPC is seldom used outside of experimentation because it gets shut down by anti-spam providers.
But as recently as July 2013, security firm Incapsula reported that one of its customers was targeted in a pingback DDoS attack from 50,000 bots that generated eight million hits at a rate of 1,000 hits per second.
Abuse of the XMP-RPC functionality is one of several techniques attackers are using against websites.
Other increasingly common DDoS attacks abuse the internet's time-synchronisation protocol and exploit open domain name system servers to amplify traffic.