Hackers are abusing the 'pingback' function used in many WordPress websites to launch DDoS attacks against their victims.
In a blog post, IT security firm Suruci said that rather than hackers using DDoS to throw the websites offline by bombarding them with a huge number of packets, this type of attack was more precise, taking advantage of the pingback feature that generates a comment on a blog when someone else with pingback enabled links to it.
"Layer 7 attacks (also known as HTTP flood attacks) are a type [of] DDoS attack that disrupts your server by exhausting its resources at the application layer, instead of the network layer," said Daniel Cid, CTO at Sucuri.
"They do not require as many requests or as much bandwidth to cause damage; they are able to force a large consumption of memory and CPU on most PHP applications, CMSs and databases."
The firm said that hackers were using the technique in a new campaign that used a botnet comprising 26,000 WordPress websites. While it did not identify the victims, the company admitted this type of DDoS attack comprised 13 per cent of all DDoS against its clients.
Cid explained these websites were being used to generate a sustained rate of 10,000 to 11,000 HTTPS requests per second against one website.
"At some intervals, the attack would peak to almost 20,000 HTTPS requests per second. The attack started at 1pm (EST) and by midnight it was still ongoing," he said.
"Very few servers would be able to handle such a load, even with proxies and load balancers configured. Especially when talking about HTTPS requests which tend to use more CPU to establish the SSL session."
Such attacks accounted for around 13 per cent of all DDoS attacks the firm tracked for clients, according to Cid.
He added that while WordPress now logged the attacker IP address on newer releases, he was still recommending that WordPress websites disable pingbacks.
"It won't protect you from being attacked, but will stop your site from attacking others," he said.
-
Enterprise AI adoption is about to get the Big Brother treatmentOpinion Worried your staff aren’t using those shiny AI tools you petitioned for? Big tech has you covered
-
Dreamforce 2025: What's an agentic OS?ITPro Podcast NPUs, e-ink, and immersive headsets are the latest hardware innovations for business devices
-
UK crime fighters wrangle “several thousand” potential cyber criminals in DDoS-for-hire honeypotNews The sting follows a recent crackdown on DDoS-for-hire services globally
-
US begins seizure of 48 DDoS-for-hire services following global investigationNews Six people have been arrested who allegedly oversaw computer attacks launched using booters
-
Will triple extortion ransomware truly take off?In-depth Operators are now launching attacks with three extortion layers, but there are limitations to this model
-
GoDaddy web hosting reviewReviews GoDaddy web hosting is backed by competitive prices and a beginner-friendly dashboard, and while popular, beware of hidden prices
-
Japan investigates potential Russian Killnet cyber attacksNews The hacker group has said it’s revolting against the country’s militarism and that it’s “kicking the samurai”
-
LockBit hacking group to be 'more aggressive' after falling victim to large-scale DDoS attackNews The ransomware group is currently embroiled in a battle after it leaked data belonging to cyber security company Entrust
-
Record for the largest ever HTTPS DDoS attack smashed once againNews The DDoS attack lasted 69 minutes and surpassed the previous record of 26 million RPS
-
Cloudflare mitigates biggest ever HTTPS DDoS attackNews A botnet generated over 212 million HTTPS requests from over 1,500 networks in 121 countries
