DDoS attack is launched from 162,000 WordPress sites

Using unsuspecting WordPress sites as amplification vectors, a hacker takes down a popular Web site for hours.

internet5610x426.jpg

With some old-fashioned trickery, hackers were able to get more than 162,000 legitimate WordPress-powered Web sites to mount a distributed-denial-of-service attack against another Web site, security researchers said Monday.

Security firm Sucuri said hackers leveraged a well-known flaw in WordPress that allows an attack to be amplified by harnessing unsuspecting Web sites. It's unclear which site was the victim of the cyberattack but Sucuri said it was a "popular WordPress site" that went down for many hours.

"It was a large HTTP-based (layer 7) distributed flood attack, sending hundreds of requests per second to their server," Sucuri chief technology officer Daniel Cid said in a blog post. "All queries had a random value (like "?4137049=643182?) that bypassed their cache and force a full page reload every single time. It was killing their server pretty quickly."

While hundreds of requests per second don't seem that big when looking at other recent DDoS attacks -- like the ones against Namecheap and a CloudFlare customer last month that reached volumes from 100 gigabits per second to 400 gigabits per second -- Cid said this attack is still remarkable since it could have originated from just one person.

"Can you see how powerful it can be?" he wrote. "One attacker can use thousands of popular and clean WordPress sites to perform their DDOS attack, while being hidden in the shadows."

(Via Ars Technica).

About the author

Dara Kerr is a staff writer for CNET focused on the sharing economy and tech culture. She grew up in Colorado where she developed an affinity for collecting fool's gold and spirit animals.

 

Join the discussion

Conversation powered by Livefyre

Show Comments Hide Comments
Latest Galleries from CNET
Hello, Samsung? The 1990s want all these phones back (pictures)
10 gloriously geeky highlights from 2014 (pictures)
2015.5 Volvo XC60: updated tech, understated design
Busted! CNET readers show us their broken devices (pictures)
Take a closer look at the BlackBerry Classic (pictures)