Wednesday, April 08, 2015
Do some Wordpress blogs pose a "community risk" of DDOS attacks? Do tools like Askimet for comment moderation provide protection?
There is some literature reporting that Wordpress sites can be “harnessed” to facilitate DDOS (distributed denial of service) attacks against other targets thought the “pingback” mechanism, using xml-rpc.
For example, there is a discussion here at InfoSec, link. The author recommends “hardening” Wordpress security. One way to defend against misuse is to require comment moderation for pingbacks.
It’s possible that some Wordpress bloggers will notice high page requests in their stats of a “spam” nature, which may consist of pingback requests that are held up by comment moderation. It’s a good idea to check and mark moderation queues, as it seems Wordpress blogs really do tend to attract a lot of comment spam anyway. Another technique is to use a comment spam product like Askimet (which would normally prevent these large false page request counts).
There are some demos of how the exploit works on YouTube, like here.
I’m not sure how real the problem of Wordpress-related DDOS is in practice. The DDOS is directed at a different site. It seems unlikely to cause bandwidth problems for the Wordpress site itself. One could ask about legal liability if a blog is implicated, or whether Section 230 could come into play. (Coordinated post on my main blog today.)