DNS and NTP servers are not the only publicly accessible resources that can be misused to amplify DDoS attacks.
Sucuri CTO Daniel Cid revealed details of a recent incident in which they received a plea for help from a popular WordPress site. The site was downed first by a DDoS, and then, when it went on for a while, by their hosting firm.
After they signed up for the company’s website firewall, the company discovered from where the flood of requests was coming.
“It was a large HTTP-based (layer 7) distributed flood attack, sending hundreds of requests per second to their server,” Cid shared in a blog post. The queries forced the page to reload fully every single time.
The requests were coming from 162,000 different (and possibly even more) legitimate WordPress sites, and what allowed the attacker to make these WP sites query the target was “a simple ping back request to the XML-RPC file.”
The pingback functionality can easily be disabled (and Cid explains how), but the bad news is that it is here to stay, as many plugins use it.
If you run a WordPress site, you can use this online tool to check whether it is being misused amplification attacks such as this one.