Last two weeks there has been an increase in the use of WordPress sites pingback feature to effectively launch a distributed DDOS with little effort. These attacks mostly tie up sessions on your webserver(s) and bandwidth rarely is a problem.
I've recently managed to mitigate a attack involving +32k hosts using iptables with 'ipt_recent' and thought I'd share how it can be done now that we've been in the "clear" for a couple of days.
First you need to increase the default size of the ip-list used by 'ipt_recently'. Add the following to /etc/modprobe.d
options ipt_recent ip_list_tot=32768 ip_pkt_list_tot=3 and ofcourse adjust list size to your needs.
Once that is done make sure to reload ipt_module
rmmod ipt_recent modprobe ipt_recent Now we will add two rules to iptables input chain
iptables -A INPUT -p tcp -m recent --update --seconds 600 --name PINGBACK --rsource -j DROP iptables -A INPUT -p tcp -m tcp --dport 80 -m string --string "WordPress/" --algo kmp -m recent --set --name PINGBACK --rsource There! You're all set and should soon have your site back up and running at normal speed.
To speed up the process of adding ip's to the table you can do
echo 1.2.3.4 > /proc/net/ipt_recent/PINGBACK Hope this might help some other unlucky admin out there and dont forget, this can all be done in advance.
tl;dr: Utilize the fact that WordPress pingback will send useragent "WordPress/X.X" to block DDOS using iptables string match.
[link][8 comments]