XF 1.4 XML-RPC ddos atacks

[Console Crunch]

Hello I have been contacted my vps support about I am getting ddos atacks with the method xml rpc and they told me i must contact my software developer to know if there is a patch o way to disable xml rpc my site is just using xenforo with all needed for it like php mysql httpd..

 

[Mike]

XenForo does not use or expose any XML-RPC interfaces.

 

[Console Crunch]

XenForo does not use or expose any XML-RPC interfaces.

Then why if someone hits me with xml rpc method my site goes down? Please let me know any idea to fix it

 

[Mike]

It sounds to me that the issue is simply that you're being DDoS'd. A DDoS generally needs to be resolved above the application layer (blocking earlier in the network).

 

[TPerry]

Then why if someone hits me with xml rpc method my site goes down? Please let me know any idea to fix it

You need to ask them if it is a WordPress PingBack DDOS attack.
https://wordpress.org/plugins/disable-xml-rpc-pingback/
http://blog.sucuri.net/2014/03/more...for-distributed-denial-of-service-attack.html

 

[Allan]

Yet it crashes Forums XenForo easily.

I just take the test, and the forum is inaccessible for more than 30 minutes without being able to do anything, it is the fault of a relative has XenForo and via a wordpress website.

 

[TPerry]

Yet it crashes Forums XenForo easily.

I just take the test, and the forum is inaccessible for more than 30 minutes without being able to do anything, it is the fault of a relative has XenForo and via a wordpress website.

The WordPress PingBack attack will bring (if large enough) any site down unless it is protected. Just another case of where a feature of WordPress should be disabled unless specifically needing it.

 

[Mike]

The pingback issue is other sites attacking you. It's a DDoS. You can really point it at any server, just dynamic applications will be easier to attack given that they use CPU to work. DDoSes need to be handled increasingly far up the chain (potentially before they hit your network if they're big enough).

 

[Allan]

The pingback issue is other sites attacking you. It's a DDoS. You can really point it at any server, just dynamic applications will be easier to attack given that they use CPU to work. DDoSes need to be handled increasingly far up the chain (potentially before they hit your network if they're big enough).

The WordPress PingBack attack will bring (if large enough) any site down unless it is protected

How to protect this attack?

 

[Allan]

I found this:

Deny from .wordpress.org
Deny from 93.158.202.80
Deny from 93.158.202.49

Add in htaccess. Possible solution ?

 

[TPerry]

I found this:

Deny from .wordpress.org
Deny from 93.158.202.80
Deny from 93.158.202.49

Add in htaccess. Possible solution ?

If those are the only two.. but the attack is typically a distributed attack. I helped one guy out that was getting slammed by approximately 248 different WordPress sites and the concurrent requests were in the hundreds. There is no simple firewall (server based) that is going to prevent it. It has to be done upstream in the network at the switch/router layer (believe it's layer 7).

The links I gave you explain it pretty well. By the time you block as you are doing, they are already hitting your server and your slammed. It needs to be stopped before it reaches that point.

 

[Allan]

Solution:

<files xmlrpc.php= » »>

Order allow,deny

Deny from all

</files>

 

[TPerry]

Solution:

<files xmlrpc.php= » »>

Order allow,deny

Deny from all

</files>

I don't think you are fully understanding.. your HTTP server is STILL getting hit by it before the above can be processed... which means you are still suffering the attack.

It has to be blocked/mitigated before it even hits your HTTP server - which is why I said it has to be done in the upstream (usually by a DDOS mitigation server or hardware device that is in place).

 

[Allan]

From what I read, the attack is realized in fact, the number of visitors to pass 450-500 but the site is not planted.

 

[TPerry]

From what I read, the attack is realized in fact, the number of visitors to pass 450-500 but the site is not planted.

The HTTP server still has to service the request before it can deny it. By servicing the request it means that a resource is allocated. The more of those requests it has to service the more it has to deny... but it still has to service them. That is what the DDoS aspect is. They saturate your HTTP server by overloading it with requests.

Take my word for it... if it is a decent attack, the method you outlined will NOT prevent it from happening. Been there, done that, got the t-shirt, the baseball cap, the coffee cup, and all those related items.
The only way you can stop it on your server is to move your HTTP server to an alternative port than 80 so that it doesn't receive those requests. But then folks can't get to your site because port 80 is the standard HTTP port.

 

[Mike]

You can mitigate a small attack at the web server level. We were actually hit by it yesterday and had around 20,000 requests in a short span from a lot of hosts. It's just a standard resource exhaustion sort of thing. Blocking the requests as the server level may help with a "small" attack.

 

[iGloo']

Up.
My website actually get hits a lot by that kind of attack, there's a miracle solution? I know that some of my concurrent websites were under attacks those last weeks too, and they find a way to mitigate it, but I don't know how, but it seems that they block the maximum connections at 500 or something like that, sometimes when I visit them, they just crash for 10 seconds and then are back for a long time. I would like to know how to protect that. I'll try to contact them, but I don't think that they will help me out.
Thanks in advance if you can provide me a miracle response.

 

[TPerry]

There is no "miracle solution" that is cheap/free. There are Layer 7 DDOS mitigation services that you can use - but most of them cost (those that are effective).
You can limit the # of connections from 1 IP via your HTTP server - but you can still be hit so heavy that doesn't do any good. The only definite way to prevent it from happening is a hardware solution between you (your server) and the interwebz. There are companies out that provide that.
You can further have a firewall rule that detects the wp string and drops all connections - but again, it still is connecting for a short period so if you have 60,000 connections in a short time you will be going down usually.