All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Crazy WordPress DDoS Attack
Hey All,
We usually have DDoS attacks anytime we post a LET offer, go figure, but most of the time it doesn't really affect us. This time, we were smacked by something that we have never seen before and was wondering if anyone else has experienced a similar DDoS attack? It was essentially made by remote WordPress sites, thousands of them and it started within about 10 minutes of posting our offer. We have since mitigated the issue after about 90 minutes of slowness on our website. At it's peak, it was pulling about 10Mbps, not very big in terms of a DDoS attack but clearly causing a load on the server.
Our access log has a couple hundred thousand of the following entries, always similar, never the same (probably why our normal modes of protection were no good). This is just a very small sample:
108.174.151.74 - - [25/Feb/2015:12:01:30 -0700] "GET / HTTP/1.0" 403 494 "-" "WordPress/3.1; http://www.pentlargelaw.com"
108.45.120.51 - - [25/Feb/2015:12:01:30 -0700] "GET / HTTP/1.0" 403 494 "-" "WordPress/3.1; http://www.deepmarket.com"
91.135.235.15 - - [25/Feb/2015:12:01:30 -0700] "GET / HTTP/1.0" 403 494 "-" "WordPress/2.9.1; http://www.backyardadventures.co.uk"
204.147.202.36 - - [25/Feb/2015:12:01:30 -0700] "GET / HTTP/1.0" 403 494 "-" "WordPress/3.3.1; http://sounddesign.sva.edu"
64.207.177.124 - - [25/Feb/2015:12:01:30 -0700] "GET / HTTP/1.0" 403 494 "-" "WordPress/3.3.2; http://www.outlandexposure.com"
194.29.153.16 - - [25/Feb/2015:12:01:30 -0700] "GET / HTTP/1.0" 403 494 "-" "WordPress/3.3.1; http://www.ztmind.il.pw.edu.pl"
61.195.154.212 - - [25/Feb/2015:12:01:30 -0700] "GET / HTTP/1.0" 403 494 "-" "WordPress/3.1.4; http://www.ishp.co.jp"
173.245.51.67 - - [25/Feb/2015:12:01:30 -0700] "GET / HTTP/1.1" 403 531 "-" "WordPress/4.0.1; http://www.click2005.org; verifying pingback from 192.99.71.21"
108.45.120.51 - - [25/Feb/2015:12:01:30 -0700] "GET / HTTP/1.0" 403 494 "-" "WordPress/3.1; http://www.deepmarket.com"
198.63.32.250 - - [25/Feb/2015:12:01:30 -0700] "GET / HTTP/1.0" 403 494 "-" "WordPress/3.1; http://hausinteriordesign.com"
216.157.17.136 - - [25/Feb/2015:12:01:30 -0700] "GET / HTTP/1.0" 403 494 "-" "WordPress/3.4.2; http://www.isreligion.org"
216.187.153.138 - - [25/Feb/2015:12:01:30 -0700] "GET / HTTP/1.0" 403 494 "-" "WordPress/3.4.2; http://www.pinecc.com"
69.164.211.147 - - [25/Feb/2015:12:01:31 -0700] "GET / HTTP/1.0" 403 494 "-" "WordPress/4.1; http://www.themains.net; verifying pingback from 192.99.71.21"
Anyone else experience this or seen this type of attack before?
Guess just another reason to avoid WordPress like the plague.
Comments
Maybe if you were Nice Servers instead of Mean Servers people would be, well, nicer :-)
It is a XMLRPC attack!
Block WordPress user agent in your virtual host conf should help a lot.
Yepp that's what solved it for us. Sorry, forgot to post the solution.
report abuse to the IP triggering all these pingbacks also, 192.99.71.21.
[email protected]
What's the fix that you've used if you don't mind sharing?
try that!
aah yes, sorry forgot to read that bit
@SpeedBus:
All those wordpress sites are the hacked sites where a shell ( XMLRPC Shell ) is injected and the attackers is using those sites to attack. There are 162,000 WordPress-powered websites!
@MeanServers, if the useragent consistently contains "WordPress" block it using fail2ban.
Better to nullroute the individual IPs, and firewall whole subnets if there are numerous IPs in the subnet, IMHO. Or, use Ipsets.
Thousands of individual IP address. Still busy collecting them all so I can just run a few commands in one go to the router nullrouting them =D
Thanks for the extra insight!
@MeanServers, You can nullroute 1000's automatically via fail2ban ... without any major impact on performance.
PM if you want to discuss further. (Don't want to fan any "flame wars" or disclose too much as your attackers are obviously lurking here as well).
Thanks but we will be banning them network wide to prevent them from harming any customers in the future as well. Just means the IPs need to be formatted and ran as a batch in our router instead, not really a big inconvenience.
OK
Cheers
Ever wondered why 95% of those are OVH IPs? Because OVH doesn't care about it at all.
Any chance you can share the IP list, so that others can block them as well?
Certainly! http://www.meanservers.com/max/wordpress-wall-of-shame.txt.bz2
The file is in it's raw format so you can do what you would like with the data, the uncompressed version is just around 1.1GB FYI.