Friday, March 14, 2014

Another Day, Another DDoS Method


DDoS is in the news again with a novel new method of creating high volume attacks, this time Wordpress is the source and target of this attack using a ping back feature.



What happened?

A creative attacker used an old bug which causes a word press blog to request a page from another site. The proper use is for word press to keep track of the pages that contain a link to it.

The tool is called a "ping back". Here's how it normally works:

Blog A has a post.
Site B posts something on it that contains a link to the Blog A post
Site B informs Blog A that it has posted a link to Blog A's post
Blog A requests the Site B page with the link to verify

In this case, an attacker manipulated this exchange so that it went like this

Blogs A-Z have posts
Site 1 is the victim
Attacker tells Blogs A-Z that Site 1 linked to them
Blogs A-Z request pages from Site 1
Site 1 becomes unavailable

Caching Trick

A lot of web servers use an idea caching (actually a lot of things in computer science use this idea). The concept is that if you know something could be asked for a lot, why not keep it some place easy to get to? This is the same idea as putting frequently checked out library books at the front of the library to avoid traffic jams in the back rows (if you're old enough to know what a library is).

Normally this concept would help mitigate the attack because the pages being requested would've been cached and returned more quickly. But the attacker used a random number to reduce the number of times a cache would be effective. Enough techno-babble, here's the caching scenario in story form.

Normal caching:

Library Visitor 1(LV1): Hello, do you have War and Peace?
Librarian (LR): Yes, we have our copy right here.
LV2: Hello, do you have War and Peace?
LR: Yes, we have it right here.
LV3: Hello, do you have War and Peace?
.....
...
..
.

Attack to spoof caching:

Library Attacker 1 (LA1): Hello, do you have a book called Sunshine Falls on the Moon Softly? I think it's by Edgar Allen Poe.
LR: Hmm, I've never heard of that book. I'll have to search.
LA2: Hello, do you have a book called Moon light falls on the sun forcefully? I think it's by Whitman.
LR: Hmm, I've never heard of that book. I'll have to search when I've found SFOTMS by Poe.
LA3: Hello, do you have the book called...
LR: *Collapes under the exhaustion*

You get the picture.

WordPress has some documentation on how to turn off the ping back action
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)