1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.4 XML-RPC ddos atacks

Discussion in 'XenForo Questions and Support' started by Console Crunch, Sep 29, 2014.

  1. Hello I have been contacted my vps support about I am getting ddos atacks with the method xml rpc and they told me i must contact my software developer to know if there is a patch o way to disable xml rpc my site is just using xenforo with all needed for it like php mysql httpd..
     
  2. Mike

    Mike XenForo Developer Staff Member

    XenForo does not use or expose any XML-RPC interfaces.
     
  3. Then why if someone hits me with xml rpc method my site goes down? Please let me know any idea to fix it
     
  4. Mike

    Mike XenForo Developer Staff Member

    It sounds to me that the issue is simply that you're being DDoS'd. A DDoS generally needs to be resolved above the application layer (blocking earlier in the network).
     
  5. Tracy Perry

    Tracy Perry Well-Known Member

  6. Allan

    Allan Well-Known Member

    Yet it crashes Forums XenForo easily.

    I just take the test, and the forum is inaccessible for more than 30 minutes without being able to do anything, it is the fault of a relative has XenForo and via a wordpress website.
     
  7. Tracy Perry

    Tracy Perry Well-Known Member

    The WordPress PingBack attack will bring (if large enough) any site down unless it is protected. Just another case of where a feature of WordPress should be disabled unless specifically needing it.
     
  8. Mike

    Mike XenForo Developer Staff Member

    The pingback issue is other sites attacking you. It's a DDoS. You can really point it at any server, just dynamic applications will be easier to attack given that they use CPU to work. DDoSes need to be handled increasingly far up the chain (potentially before they hit your network if they're big enough).
     
  9. Allan

    Allan Well-Known Member

    How to protect this attack?
     
  10. Allan

    Allan Well-Known Member

    I found this:
    Code:
    Deny from .wordpress.org
    Deny from 93.158.202.80
    Deny from 93.158.202.49
    Add in htaccess. Possible solution ?
     
  11. Tracy Perry

    Tracy Perry Well-Known Member

    If those are the only two.. but the attack is typically a distributed attack. I helped one guy out that was getting slammed by approximately 248 different WordPress sites and the concurrent requests were in the hundreds. There is no simple firewall (server based) that is going to prevent it. It has to be done upstream in the network at the switch/router layer (believe it's layer 7).

    The links I gave you explain it pretty well. By the time you block as you are doing, they are already hitting your server and your slammed. It needs to be stopped before it reaches that point.
     
    Allan likes this.
  12. Allan

    Allan Well-Known Member

    Solution:
    Code:
    <files xmlrpc.php= » »>
    
    Order allow,deny
    
    Deny from all
    
    </files>
     
  13. Tracy Perry

    Tracy Perry Well-Known Member

    I don't think you are fully understanding.. your HTTP server is STILL getting hit by it before the above can be processed... which means you are still suffering the attack.

    It has to be blocked/mitigated before it even hits your HTTP server - which is why I said it has to be done in the upstream (usually by a DDOS mitigation server or hardware device that is in place).
     
  14. Allan

    Allan Well-Known Member

    From what I read, the attack is realized in fact, the number of visitors to pass 450-500 but the site is not planted.
     
  15. Tracy Perry

    Tracy Perry Well-Known Member

    The HTTP server still has to service the request before it can deny it. By servicing the request it means that a resource is allocated. The more of those requests it has to service the more it has to deny... but it still has to service them. That is what the DDoS aspect is. They saturate your HTTP server by overloading it with requests.

    Take my word for it... if it is a decent attack, the method you outlined will NOT prevent it from happening. Been there, done that, got the t-shirt, the baseball cap, the coffee cup, and all those related items.
    The only way you can stop it on your server is to move your HTTP server to an alternative port than 80 so that it doesn't receive those requests. But then folks can't get to your site because port 80 is the standard HTTP port.
     
  16. Mike

    Mike XenForo Developer Staff Member

    You can mitigate a small attack at the web server level. We were actually hit by it yesterday and had around 20,000 requests in a short span from a lot of hosts. It's just a standard resource exhaustion sort of thing. Blocking the requests as the server level may help with a "small" attack.
     
  17. iGloo'

    iGloo' Member

    Up.
    My website actually get hits a lot by that kind of attack, there's a miracle solution? I know that some of my concurrent websites were under attacks those last weeks too, and they find a way to mitigate it, but I don't know how, but it seems that they block the maximum connections at 500 or something like that, sometimes when I visit them, they just crash for 10 seconds and then are back for a long time. I would like to know how to protect that. I'll try to contact them, but I don't think that they will help me out.
    Thanks in advance if you can provide me a miracle response. :D
     
  18. Tracy Perry

    Tracy Perry Well-Known Member

    There is no "miracle solution" that is cheap/free. There are Layer 7 DDOS mitigation services that you can use - but most of them cost (those that are effective).
    You can limit the # of connections from 1 IP via your HTTP server - but you can still be hit so heavy that doesn't do any good. The only definite way to prevent it from happening is a hardware solution between you (your server) and the interwebz. There are companies out that provide that.
    You can further have a firewall rule that detects the wp string and drops all connections - but again, it still is connecting for a short period so if you have 60,000 connections in a short time you will be going down usually.
     

Share This Page