With some old-fashioned trickery, hackers were able to get more than
162,000 legitimate WordPress-powered Web sites to mount a
distributed-denial-of-service attack against another Web site, security
researchers said Monday.
Security firm Sucuri said hackers
leveraged a well-known flaw in WordPress that allows an attack to be
amplified by harnessing unsuspecting Web sites. It's unclear which site
was the victim of the cyberattack, but Sucuri said it was a "popular
WordPress site" that went down for many hours.
"It was a large HTTP-based (layer 7) distributed flood attack,
sending hundreds of requests per second to their server," Sucuri chief
technology officer Daniel Cid said in a
blog post.
"All queries had a random value (like "?4137049=643182?) that bypassed
their cache and force a full page reload every single time. It was
killing their server pretty quickly." While hundreds of requests per second don't seem that big when looking at other recent DDoS attacks -- like the ones against
Namecheap and a
CloudFlare customer
last month that reached volumes from 100 gigabits per second to 400
gigabits per second -- Cid said this attack is still remarkable since it
could have originated from just one person.
"Can you see how
powerful it can be?" he wrote. "One attacker can use thousands of
popular and clean WordPress sites to perform their DDOS attack, while
being hidden in the shadows."
No comments:
Post a Comment