- Jun 9, 2013
- 6,720
Kaspersky Lab experts have noted an emerging trend – a growth in the number of attacks using encryption. Such attacks are highly effective due to the difficulty in identifying them amongst the overall flow of clean requests. Recently, the company encountered yet more evidence of this trend – an attack exploiting vulnerabilities in WordPress via an encrypted channel.
WordPress Pingback attacks have been in use since 2014. They fall under the amplification class of attacks, when the victim’s resource is attacked via third-party servers by exploiting vulnerabilities in them.
In the case of WordPress Pingback, the role of the vulnerable server is played by sites created using WordPress CMS (usually blogs) with the Pingback function enabled. This function is designed to automatically send notifications to authors about any activity involving their posts. The attacker sends a specially created HTTP request to these sites with a fake return address – the address of the victim who receives all the responses.
This means it is possible to organize a powerful HTTP GET flood attack without a botnet, making such an attack relatively simple and inexpensive to organize. However, the amplified HTTP GET request has a very specific header – User Agent – which makes such malicious queries easy to detect and block in the overall traffic flow.
Although the recent attack observed by Kaspersky Lab experts used the same method, it differed from a “classic” WordPress Pingback attack in that it was conducted via HTTPS rather than HTTP. The target of the attack – a news resource – turned out to be one of Kaspersky Lab’s customers.
Read more. DDoS attacks via WordPress now come with encryption - Help Net Security
WordPress Pingback attacks have been in use since 2014. They fall under the amplification class of attacks, when the victim’s resource is attacked via third-party servers by exploiting vulnerabilities in them.
In the case of WordPress Pingback, the role of the vulnerable server is played by sites created using WordPress CMS (usually blogs) with the Pingback function enabled. This function is designed to automatically send notifications to authors about any activity involving their posts. The attacker sends a specially created HTTP request to these sites with a fake return address – the address of the victim who receives all the responses.
This means it is possible to organize a powerful HTTP GET flood attack without a botnet, making such an attack relatively simple and inexpensive to organize. However, the amplified HTTP GET request has a very specific header – User Agent – which makes such malicious queries easy to detect and block in the overall traffic flow.
Although the recent attack observed by Kaspersky Lab experts used the same method, it differed from a “classic” WordPress Pingback attack in that it was conducted via HTTPS rather than HTTP. The target of the attack – a news resource – turned out to be one of Kaspersky Lab’s customers.
Read more. DDoS attacks via WordPress now come with encryption - Help Net Security
