XF 1.4 XML-RPC ddos atacks

Console Crunch · Sep 29, 2014

Hello I have been contacted my vps support about I am getting ddos atacks with the method xml rpc and they told me i must contact my software developer to know if there is a patch o way to disable xml rpc my site is just using xenforo with all needed for it like php mysql httpd..

Mike · Sep 29, 2014

XenForo does not use or expose any XML-RPC interfaces.

Console Crunch · Sep 29, 2014

Mike said:
XenForo does not use or expose any XML-RPC interfaces.

Then why if someone hits me with xml rpc method my site goes down? Please let me know any idea to fix it

Mike · Sep 29, 2014

It sounds to me that the issue is simply that you're being DDoS'd. A DDoS generally needs to be resolved above the application layer (blocking earlier in the network).

TPerry · Sep 30, 2014

Disaster1989 said:
Then why if someone hits me with xml rpc method my site goes down? Please let me know any idea to fix it

You need to ask them if it is a WordPress PingBack DDOS attack.
https://wordpress.org/plugins/disable-xml-rpc-pingback/
http://blog.sucuri.net/2014/03/more...for-distributed-denial-of-service-attack.html

Allan · Oct 2, 2014

Yet it crashes Forums XenForo easily.

I just take the test, and the forum is inaccessible for more than 30 minutes without being able to do anything, it is the fault of a relative has XenForo and via a wordpress website.

TPerry · Oct 2, 2014

Allan said:
Yet it crashes Forums XenForo easily.

I just take the test, and the forum is inaccessible for more than 30 minutes without being able to do anything, it is the fault of a relative has XenForo and via a wordpress website.

The WordPress PingBack attack will bring (if large enough) any site down unless it is protected. Just another case of where a feature of WordPress should be disabled unless specifically needing it.

Mike · Oct 2, 2014

The pingback issue is other sites attacking you. It's a DDoS. You can really point it at any server, just dynamic applications will be easier to attack given that they use CPU to work. DDoSes need to be handled increasingly far up the chain (potentially before they hit your network if they're big enough).

Allan · Oct 2, 2014

Mike said:
The pingback issue is other sites attacking you. It's a DDoS. You can really point it at any server, just dynamic applications will be easier to attack given that they use CPU to work. DDoSes need to be handled increasingly far up the chain (potentially before they hit your network if they're big enough).

Tracy Perry said:
The WordPress PingBack attack will bring (if large enough) any site down unless it is protected

How to protect this attack?

Allan · Oct 2, 2014

I found this:

Code:

Deny from .wordpress.org
Deny from 93.158.202.80
Deny from 93.158.202.49

Add in htaccess. Possible solution ?

TPerry · Oct 2, 2014

Allan said:
I found this:

Code:

Deny from .wordpress.org Deny from 93.158.202.80 Deny from 93.158.202.49

Add in htaccess. Possible solution ?

If those are the only two.. but the attack is typically a distributed attack. I helped one guy out that was getting slammed by approximately 248 different WordPress sites and the concurrent requests were in the hundreds. There is no simple firewall (server based) that is going to prevent it. It has to be done upstream in the network at the switch/router layer (believe it's layer 7).

The links I gave you explain it pretty well. By the time you block as you are doing, they are already hitting your server and your slammed. It needs to be stopped before it reaches that point.

Allan · Oct 2, 2014

Solution:

Code:

<files xmlrpc.php= » »>

Order allow,deny

Deny from all

</files>

TPerry · Oct 2, 2014

Allan said:
Solution:

Code:

<files xmlrpc.php= » »> Order allow,deny Deny from all </files>

I don't think you are fully understanding.. your HTTP server is STILL getting hit by it before the above can be processed... which means you are still suffering the attack.

It has to be blocked/mitigated before it even hits your HTTP server - which is why I said it has to be done in the upstream (usually by a DDOS mitigation server or hardware device that is in place).

Allan · Oct 2, 2014

From what I read, the attack is realized in fact, the number of visitors to pass 450-500 but the site is not planted.

TPerry · Oct 2, 2014

Allan said:
From what I read, the attack is realized in fact, the number of visitors to pass 450-500 but the site is not planted.

The HTTP server still has to service the request before it can deny it. By servicing the request it means that a resource is allocated. The more of those requests it has to service the more it has to deny... but it still has to service them. That is what the DDoS aspect is. They saturate your HTTP server by overloading it with requests.

Take my word for it... if it is a decent attack, the method you outlined will NOT prevent it from happening. Been there, done that, got the t-shirt, the baseball cap, the coffee cup, and all those related items.
The only way you can stop it on your server is to move your HTTP server to an alternative port than 80 so that it doesn't receive those requests. But then folks can't get to your site because port 80 is the standard HTTP port.

Mike · Oct 2, 2014

You can mitigate a small attack at the web server level. We were actually hit by it yesterday and had around 20,000 requests in a short span from a lot of hosts. It's just a standard resource exhaustion sort of thing. Blocking the requests as the server level may help with a "small" attack.

iGloo' · Oct 10, 2014

Up.
My website actually get hits a lot by that kind of attack, there's a miracle solution? I know that some of my concurrent websites were under attacks those last weeks too, and they find a way to mitigate it, but I don't know how, but it seems that they block the maximum connections at 500 or something like that, sometimes when I visit them, they just crash for 10 seconds and then are back for a long time. I would like to know how to protect that. I'll try to contact them, but I don't think that they will help me out.
Thanks in advance if you can provide me a miracle response.

TPerry · Oct 10, 2014

There is no "miracle solution" that is cheap/free. There are Layer 7 DDOS mitigation services that you can use - but most of them cost (those that are effective).
You can limit the # of connections from 1 IP via your HTTP server - but you can still be hit so heavy that doesn't do any good. The only definite way to prevent it from happening is a hardware solution between you (your server) and the interwebz. There are companies out that provide that.
You can further have a firewall rule that detects the wp string and drops all connections - but again, it still is connecting for a short period so if you have 60,000 connections in a short time you will be going down usually.

XF 1.4 XML-RPC ddos atacks

Console Crunch

Member

Mike

XenForo developer

Console Crunch

Member

Mike

XenForo developer

TPerry

Well-known member

Allan

Well-known member

TPerry

Well-known member

Mike

XenForo developer

Allan

Well-known member

Allan

Well-known member

TPerry

Well-known member

Allan

Well-known member

TPerry

Well-known member

Allan

Well-known member

TPerry

Well-known member

Mike

XenForo developer

iGloo'

Member

TPerry

Well-known member

Similar threads

We value your privacy