Encryption is now being used in DDoS attacks, Kaspersky researchers have found. The company has uncovered a specific attack exploiting vulnerabilities in WordPress via an encrypted channel. Because of the difficulty to identify them amongst clean requests, these attacks are very successful. The attacks have been dubbed “pingback”.
WordPress PingBack Attacks Technical Overview
These attacks have been happening since 2014, researchers say. Basically, the victim’s resource is attacked via third-party servers by exploiting vulnerabilities in them.
For WordPress, a PingBack attack is based on sites created via the CMS with the Pingback function enables. The function sends notifications to authors automatically whenever there is activity on their posts. The attacker would send a specially crafted HTTP request to these sites using a fake return address (the address of the victim who receives the responses). What does this all mean? Basically, it means that it’s possible to carry out a powerful HTTP GET flood attack without using a botnet, altogether making the attack simple and low-cost.
However, the amplified HTTP GET request has a very specific header – User Agent – which makes such malicious queries easy to detect and block in the overall traffic flow.
Kaspersky researchers highlight that the recent attack they observed “differed from a “classic” WordPress Pingback attack in that it was conducted via HTTPS rather than HTTP.” More interestingly, the target of the attack the company observed turned out to be one of their customers.
Alexander Khalimonenko, DDoS protection group manager at Kaspersky Lab, said in a press release that:
The use of encryption makes it more difficult to detect an attack and protect against it because it requires traffic decryption to analyze queries to check whether it’s ‘clean’ or ‘junk’. At the same time, such an attack creates a bigger load on the attacked resource’s hardware than a standard attack, because setting up an encrypted connection requires the use of ‘heavy’ mathematics. Another difficulty lies in the fact that modern encryption mechanisms do not allow third-party access to traffic content. In this regard, security solutions will have to reconsider their filtering algorithms in order to protect customers from the growing popularity of DDoS attacks with encryption.