Security researchers have uncovered a recent distributed denial-of-service (DDoS) attack that used at least 162,000 WordPress-powered websites to knock another site offline.

The technique made it possible for an attacker with modest resources to greatly amplify the bandwidth at its disposal. By sending spoofed Web requests in a way that made them appear to come from the target site, the attacker was able to trick the WordPress servers into bombarding the target with more traffic than it could handle. Besides causing such a large number of unsuspecting sites to attack another one, the attack is notable for targeting XML-RPC, a protocol the sites running WordPress and other Web applications use to provide services such as pingbacks, trackbacks, and remote access to some users.

Researchers from security firm Sucuri recently counted more than 162,000 legitimate WordPress sites hitting a single customer website. They suspect they would have seen more if they hadn’t ended the attack by blocking the requests.

“Can you see how powerful it can be?” Sucuri CTO Daniel Cid wrote in a blog post published Monday. “One attacker can use thousands of popular and clean WordPress sites to perform their DDoS attack, while being hidden in the shadows, and that all happens with a simple ping back request to the XML-RPC file.”

The result: the unidentified target website was flooded with hundreds of requests per second. Hundreds of requests per second may not sound like much, especially when compared with recent attacks, some of which reached volumes close to 400 gigabits per second. It’s important to remember that the XML-RPC traffic is directed at a targeted site’s layer 7 (aka application layer), which handles HTTP, FTP, DNS, and several other communications protocols. Many DDoS techniques direct torrents of traffic at a much lower level, usually in the network layer (aka layer 3). Layer 7 attacks frequently require much less junk data to be effective.

Cid’s blog post contains plenty of useful information about DDoS attacks that abuse XML-RPC, including this scanner that will indicate whether a specific Web address was observed participating in the attack Sucuri blocked. The post also provides instructions that operators of WordPress sites can follow to prevent their servers from being abused to carry out these types of attacks. The technique involves adding the following code to a site theme:

add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods[''] );
return $methods;
} );

Cid doesn’t say if there are any negative consequences that will result from adding the filter. Since XML-RPC provides useful and possibly needed functionality, readers are advised to carefully consider the pros and cons before applying such a move to a production server. Readers who know more about the way the XML-RPC protocol is implemented in WordPress and the effects of the above filter are encouraged to share their knowledge in the comments.

The WordPress-enabled attacks are just one technique in a growing arsenal of powerful DDoS weapons. Other implementations include the abuse of the Internet’s time-synchronization protocol and the exploitation of open domain name system servers to greatly amplify traffic. Attackers have also waged extremely powerful DDoS campaigns using botnets of WordPress servers. The growing body of attacks shows that there’s no shortage of ways to inflict crippling damage on the Internet.


Distributed denial-of-service (or DDoS) attacks aren’t new – however, the ferocity and volume of attacks has risen sharply over recent months. Just last month, a stream off attacks wreaked havoc across the Internet and continued DDoS attacks shut down one of the world’s largest Bitcoin exchanges, MtGox.

If you think these attacks are orchestrated by highly sophisticated cyber masterminds, think again. As the name implies, a DDoS simply tries to prevent a service from working. In a DDoS, the attacker uses a large number of machines from all over the Internet to send enormous amounts of traffic towards the target.

Usually, the source of the traffic is a network of compromised “zombie” computers (also known as a botnet) that send the traffic. Hacker forums, blogs, and even YouTube share easily accessible information on how to set up a DDoS attack, making it so that practically anyone with an Internet connection can launch their own attack.

However, DDoS attacks are not only obnoxious to deal with – they can have very real detrimental consequences for business.

How can you tell whether you’ve been the victim of DDoS?

When dealing with a DDoS attack it is worth noting that it can be challenging to even determine if your website is down due to legitimate traffic, rather than an attack. The key to telling the difference lies in the length of time the service is down – if slow or denied service continues for days rather than a spike during a campaign it is time to start to look into what’s going on.

Additionally, if the same source address is querying for the same data long before the Time to Live (TTL) has passed, it could be a sign that they are up to no good. Unfortunately, you cannot simply check to see if all of the traffic is coming from one IP, as this is the exact purpose of a DDoS: to have traffic coming from multiple sources.

How can you prepare yourself?

Of course, you won’t want to wait until you have become the latest unfortunate victim of the long line of attacks. There are a number of steps you can take to ensure you won’t make yourself a target and keep your network clean of spammers and other miscreants:

1. Be aware

Invest in technology that allows you to know your network’s normal behaviour and will make you aware of any abnormal incidents such as a DDoS.

2. Boost capacity

Make sure you provision enough server capacity and tune for best performance under high load. Build the biggest network you can with effective elements for advanced mitigation.

3. Practice your defence

Knowing how to use your defensive strategy is just as important as buying and installing it. Practice the drills over and over to get it committed to your staff’s minds.

4. Get help

If you don’t have the resources to deal with attacks in-house your best bet is to outsource to a managed DNS provider who can redirect site visitors to hosts that aren’t down with advanced features like load balancing and performance monitoring.

5. Be prepared

The best way to avoid any disruption from a DDoS attack is to be prepared for it. If you are having a hard time deciding whether or not you actually need to invest in a stronger mitigation technique (e.g. you believe your industry or business is at a low risk of an attack), figure out the impact it would have on your company financially if it were to happen.

Although it may not be an apparent risk, the cost associated with being attacked is usually much higher than the cost to take safeguards.


Cloud DDoS protection provider, DOSarrest’s Proxy Defense has been named ‘security product of the year’ at the first UK Cloud Awards that took place on Wednesday evening during Cloud Expo. Alex Hilton, the Cloud Industry Forum’s CEO, praised the quality of the entries, while the keynote speaker, Outsourcery’s joint-CEO and BBC ‘Dragon’, Piers Linney used the occasion to describe how the cloud has come of age.

“We are delighted to have won this accolade for our DDoS Protection service,” said Mike Gordon from the DOSarrest UK office who collected the award at London’s City Hall. “The service has stopped thousands of attacks on our customers’ websites and it has done so seamlessly. So, to be recognised as the best is a huge achievement.”

The awards, launched by Cloud Pro in association with The Cloud Industry Forum and techUk, celebrate the very best of the industry and the ‘security product of the year’ category recognised the considerable innovation and capability that has been brought to market in the UK to further enhance the cloud’s reputation as a secure and trusted environment.

“The calibre of the entries we received this year made the judging process no easy task. The standard of the entries, and ultimate winners, speaks volumes about tech success and innovation in the UK, and serve as a reminder of the dynamic and forward-looking industry we have in this country. DOSarrest fought off strong competition to take home Security Product of the Year, and I’d like to take this opportunity to congratulate them,” said Alex Hilton, CEO of the Cloud Industry Forum.

DOSarrest’s Proxy Defense is a fully managed, cloud-based DDoS protection service. Once a website is running on Proxy Defense, which takes less than 15 minutes to set up, the site is immediately protected 24/7 from any and all DDoS attacks.

To view the entire winner list click below:

About DOSarrest Internet Security:

DOSarrest founded in 2007 in Vancouver, BC, Canada is one of only a couple of companies worldwide to specialize in only cloud based DDoS protection services. Their global client base includes mission critical ecommerce websites in a wide range of business segments including financial, health, media, education and government. Their innovative systems, software and exceptional service have been leading edge for over 7 years now.


Could it be the end for Bitcoin- a mere five years after its conception? In latest developments, it appears that the largest Bitcoin exchange in the world, MtGox, has simply disappeared along with the CEO, Mark Kepeles who resigned this week. Furthermore, a leaked crisis strategy draft for MtGox, reveals that large amounts of Bitcoin have gone missing.

“At this point 744,408 BTC are missing due to malleability-related theft which went unnoticed for several years. The cold storage has been wiped out due to a leak in the hot wallet,” the document stated.

In a statement, Raj Samani, EMEA CTO for McAfee said: “The news that MtGox has gone offline is yet another example of the volatility facing virtual currencies… [While] it’s true that no currency is immune to attacks by criminal enterprises – both traditional and virtual currencies face other risks such as hyperinflation – however, with a history of cyber-attacks on Bitcoin exchanges, it is hoped that mitigation strategies will be implemented in the future. Failure to do so only undermines confidence in the exchange and ultimately the currency.”

Samani cites the use of DDoS attacks in particular have made things difficult for MtGox and Jag Bains, CTO DOSarrest, a DDoS mitigation firm, agrees:

“The very nature of a “virtual currency” is of course going to be attractive to cyber criminals who see it as an easy target,” he said. “After all, they only have to steal digital information from a computer. The targets are diverse and the blame is shifting as to who is the weakest link, but at the end of the day, the attackers are winning with what is all too often considered a crude tool. It begs the question: Is DDoS still to be considered a blunt instrument? From what I have seen here and analyzing attacks in other sectors, the answer is a resounding no.”

In a joint statement on the Coinbase blog, key Bitcoin community members said:

“This tragic violation of the trust of users of Mt.Gox was the result of one company’s actions and does not reflect the resilience or value of bitcoin and the digital currency industry. There are hundreds of trustworthy and responsible companies involved in bitcoin. These companies will continue to build the future of money by making bitcoin more secure and easy to use for consumers and merchants. As with any new industry, there are certain bad actors that need to be weeded out, and that is what we are seeing today. MtGox has confirmed its issues in private discussions with other members of the bitcoin community.

We are confident, however, that strong Bitcoin companies, led by highly competent teams and backed by credible investors, will continue to thrive, and to fulfill the promise that bitcoin offers as the future of payment in the Internet age.”

So, while it doesn’t appear to be the end just yet, according to both Samani and Bains, those using Bitcoin or similar virtual currencies in business or their day to day life should be wary of the risks involved.

“There’s no doubt that the stakes are high when it comes to Bitcoin- on the one hand, there could be a lot to gain as adoption and popularity rises; and on the other, there is the regulatory uncertainty and likely insurance issues to consider. The best advice is to review the options and decide if the benefits outweigh the potential risks,” Bains concluded.


Attackers abused insecure Network Time Protocol servers to launch what appears to be one of the largest DDoS (distributed denial-of-service) attacks ever, this time against the infrastructure of CloudFlare, a company that operates a global content delivery network.

The attack was revealed Monday on Twitter by Matthew Prince, CloudFlare’s CEO, who said that it’s “the start of ugly things to come” because “someone’s got a big, new cannon.”

The size of the attack appears to have been just shy of 400Gbps, ranking it among the largest DDoS attacks CloudFlare has seen, Prince said Tuesday via email, adding that the company is still gathering data about the incident from upstream providers.

The attack could be larger than the one last March against Spamhaus, a spam-fighting organization and CloudFlare customer whose website was hit by a 300Gbps DDoS attack, which was considered to be the largest in history at the time. CloudFlare reported then that it caused congestion at critical Internet exchange nodes in Europe. However, other companies later challenged the reported impact.

The new attack Monday used a technique called NTP reflection that involves sending requests with spoofed source IP addresses to NTP servers with the intention of forcing those servers to return large responses to the spoofed addresses instead of the real senders.

The attack was directed at a CloudFlare user, Prince said, but he declined to disclose any additional details about the customer citing the company’s policy.

The DDoS traffic hit CloudFlare’s data centers worldwide, but only caused temporary congestion on the company’s network in Europe, he said.

There is also some anecdotal evidence that there were congestion issues in other parts of the Internet infrastructure that are not directly related to CloudFlare, but nothing definitive, he said. “The most likely place that slowness would have been observed is across European peering exchanges. However, our team moved quickly to take traffic off exchanges in order to minimize collateral damage.”

Shortly after Prince revealed the attack on Twitter, Octave Klaba, the founder and CEO of large French hosting provider OVH, reported that his company’s network had also been hit for hours Monday with a DDoS attack that far exceeded 350Gbps.

It’s not clear if the attack against OVH also used NTP reflection or if it’s related to the attack against CloudFlare.

“I would suspect they were likely related due to the similar timing and scale,” Prince said. “However, I don’t have direct evidence of that.”

OVH did not immediately respond to a request for comment.

NTP is just one of several protocols that and can be abused to amplify DDoS attacks. Two others are DNS (Domain Name System) and SNMP (Simple Network Management Protocol).

What these protocols have in common is that they allow a relatively small query to generate a large response and are vulnerable to source IP spoofing if certain precautions are not taken because they work over UDP (User Datagram Protocol).

Instead of hitting a target’s IP address directly with traffic generated by a botnet with a combined bandwidth of, say, 10Gbps, attackers could use the botnet to send spoofed queries to a list of open DNS or NTP servers. Those queries could be crafted to appear as if they came from the victim’s IP address and could trigger large responses from those servers to that address.

In the case of DNS reflection, the amplification factor is 8x, meaning attackers could generate eight times more traffic than they would normally be able to generate with their botnet. However, in the case of NTP and SNMP reflection it can be over 200x and 650x, respectively, CloudFlare said in a blog post in January.

DNS reflection was commonly used in DDoS attacks last year, including in the attack against Spamhaus, prompting calls from Internet infrastructure groups and security researchers to organizations to identify and secure their DNS servers against this type of abuse.

SNMP reflection attacks are relatively rare, because the protocol is usually used with authentication and there are few open SNMP servers on the Internet, CloudFlare said in its January blog post.

However, NTP servers that are vulnerable to reflection attacks are apparently not that rare and attackers have caught on to this. NTP servers are used by computers and other devices to synchronize their clocks so many of them are publicly accessible.

Security vendor Symantec reported in December that it observed a spike in the number of NTP reflection attacks. Then in early January the same technique was used to attack online gaming servers.

“NTP contains a command called monlist (or sometimes MON_GETLIST) which can be sent to an NTP server for monitoring purposes,” CloudFlare explained in January. “It returns the addresses of up to the last 600 machines that the NTP server has interacted with. This response is much bigger than the request sent making it ideal for an amplification attack.”

Organizations can use the Open NTP Project to identify vulnerable NTP servers in their IP address ranges and can follow instructions provided by security research outfit Team Cymru to secure them on different OSes.

The U.S. Computer Emergency Response Team recommends updating NTP servers to at least ntpd (Network Time Protocol daemon) version 4.2.7, which addresses the monlist issue by default. Older versions need to be manually configured to restrict the functionality.