As you might know, our website falls into “Database connection fails” error a few days ago. The reason was – xmlrpc pingback attack.
I’ll start with attack algorithm. If you are in a hurry – scroll down for tips how to solve the problem.
The core of the problem is this:
In other words – any website that support Pingback 1.0 AS IT USED TO BE can be used as a relay! For example – any website build with wordpress.
The attacker just search for websites of that kind and make them to send requests to the victim. Either you are the victim or you are part of “botnet” you got tons of traffic and it can cause deny of service.
What to do:
1. Disable pingback.ping method. If you use worpress – install this plugin https://wordpress.org/plugins/remove-xmlrpc-pingback-ping/ but it will help only if the attacker is smart enough to stop bombarding you with requests.
2.Do you really need xmlrpc? if not and/or if you have lots of websites on the same ip you can use this rule in httpd.conf (or .htaccess)
Require all denied
Ok it will help if you are a part of “botnet”, but not if you are a victim. But there is ultimate solution to stop DDOS
3. Install mod_evasive. This is extension for Apache Httpd. Mod_evasive analyse activity of the users and block those who send too much requests per second. After a few seconds they are unblocked, because lots of people can use the same ip. As a result, anyone can access your website anyway, buy evil ips got lower priority. This mod has various options, but defaults works pretty cool.