Category Archives: DDos

WAFs -v- Endpoint Plugins

I’ve been reading some misleading articles on the subject of Endpoint vs Cloud Security, most notably this from Wordfence . Ironically I have used Wordfence a lot, their free plugin is often my first choice as a recommendation for someone with a $10 a month hosting account that doesn’t want to spend an equal amount on security, it does a great job at protecting most sites from the most common brute force attacks and blocking vulnerability scanners. Godaddy actually pre-install a similar but lightweight (no bloatware) plugin, Limit Login Attempts on all new installations of WordPress, great for purpose.

But this latest post of theirs, discussing bypassing, is disingenuous in the extreme, we all know that’s easily mitigated and is actually quite rare to even see it. “Security” plugin vendors only like to talk about Layer 7 ddos attacks, which is obvious as that is the niche they have carved out for themselves and they really don’t handle them at all well which is quite ironic. And they offer zero answers for layer 3/4 attacks and again rely on the host, Where as a WAF (Website Application Firewall) such as Sucuri’s sucks it all up (L7 & 3/4) for you, often with clients never knowing anything about it. While relying on a “security” plugin alone, your host could be taking you offline or charging you for extra bandwidth.

You have to remember that any “security” plugin is using your sites precious resources for any of their filtering and mitigation, sometimes slowing the site down during regular browsing, which should be a worry for anyone concerned with SEO as Google, prefers faster sites.

But just so I had some evidence to back this up, I ran some tests, setting up 2 Ubuntu 16.04 servers at DigitalOcean with private networking enabled, one with a default install of WordPress, the Genesis theme and no other plugins and the other an attack platform with wrk installed, easily setup and run:

apt-get update
apt-get install git
apt-get install make
apt-get install gcc
apt-get install luajit
git clone https://github.com/wg/wrk.git
cd wrk
make ./scripts/WITH_LUAJIT=/usr ./scripts/WITH_OPENSSL=/usr
./wrk -t32 -c100 -d30s http://10.128.26.XX

Emulating a classic DDoS attack, here is how the attacks played out, rebooting between each attack, firstly before the attack was launched, I am showing 654260 available memory.

victim-no-load

Firstly I tried an attack by blocking all but Sucuri’s IPs using UFW (my prefered method), the attack had zero effect on the victim, available memory stayed the same, wrk just gave up, Then I tried again under load with Sucuri Firewall’s bypass prevention code added to the .htaccess,

<FilesMatch ".*">
 Order deny,allow
 Deny from all
 Allow from 192.88.134.0/23
 Allow from 185.93.228.0/22
 Allow from 2a02:fe80::/29
 Allow from 66.248.200.0/22
</FilesMatch>

in it’s simplicity it’s most peoples prefered option to prevent bypass and works in nearly all situations, unlike UFW/IPTables which wont. It wasn’t pretty, but the site stayed up, with available memory dropping to 561380, whilst serving 129279 403 block messages in 30 seconds.

victim-load-with-bypass-prevention

Then I removed the bypass prevention codes and hit the site with WordFence only in it’s default installation, and crashed the site in the first few seconds, responding to only 29 requests, before server timeout errors were served. With available memory dropping to 114228. notice also how the database is being effected, unlike where the bypass prevention codes were used.

victim-load-with-wordfence

I did run an attack head on at the site while it was behind the Sucuri firewall, the website didn’t see a thing, after a few 403 errors were served by the firewall, the IDS kicked in, and the victim would never have noticed. I also ran an attack against the “naked” site, this went down in 4 seconds.

For fun I attacked the WordFence alone protected site, but increased the time to 120 seconds, mySQL needed restarting to recover site function.

This was not a real DDoS attack of course, I only launched a single application from a single server, but a very good replication of one, it was crippling against Wordfence, as if it wasn’t even installed, it even behaved slightly worse than the naked site, while their suggestion is to pass that mitigation onto the host works, they do charge for that as an additional service, and in many cases just shut your site down due to excess resource usage, that would be the case for any hosting less than $30 a month.

I’d suggest that Wordfence have no understanding of the concept of defence in depth, and rather than complementing a real firewall, they are trying to make out that their plugin is the answer to all your WordPress security concerns, which it just is not, Daniel Cid, CTO of Sucuri discusses this dangerous marketing method.

Disclaimer, I do work for Sucuri as the Sucuri Firewall support team lead.

DDoS on WordPress using the search feature

This fairly low tech DDoS can easily take down an under resourced WordPress website, what you will see in your logs is something like:

/?s=SwCGbtyTPFbgIy 19:02:40
/?s=rNiwiuFckGegR 19:02:49
/?s=SwCGbtyTPFbgIy 19:02:53
/?s=SwCGbtyTPFbgIy 19:02:56
/?s=SwCGbtyTPFbgIy 19:03:01
/?s=mYwyTaXVqvlW 19:03:12
/?s=SwCGbtyTPFbgIy 19:03:18
/?s=mYwyTaXVqvlW 19:03:22
/?s=rNiwiuFckGegR 19:03:22
/?s=mYwyTaXVqvlW 19:03:32

Sometimes you will see different HTTP User-Agents in each of the requests, also normally you’ll see the requests coming from multiple IP addresses.

ddos_on_searchWhat’s causing the damage here is the /?s= after which will be followed by some garbage text (as above) or a couple of random words, triggering a database lookup which uses more server resource than any other visitor request, the attacker doesn’t need to be using a browser, this can easily be scripted, and there are automated tools which will launch these search attacks, limiting the number of visits as coming from each IP so as not to trigger most firewalls also randomising the search request so there is less chance it would be found in a cache which would not have the same disruptive effect.

This has been a vulnerability in WordPress for over five years, and while I understand the WordPress developers are not able to stop the search feature being abused, surprisingly they have provided no way to disable the public side search function in the admin settings.

If you want to continue offering the search feature as is, but it is being abused, you will need to use a firewall such as CloudProxy to enforce JavaScript in a browser using the Emergency DDoS Protection or CloudFlare’s delayed access “I’m Under Attack” protection (also using JavaScript).

If you can live without the WordPress search feature, and I suspect most sites can, as many templates don’t even have a search button, meaning the search feature would never be used by a legitimate user anyway, you can use a plugin such as “Disable Search” to remove that function. Or you can hack it out yourself by adding :

function fb_filter_query( $query, $error = true ) {

if ( is_search() ) {
$query->is_search = false;
$query->query_vars[s] = false;
$query->query[s] = false;
// to error
if ( $error == true )
$query->is_404 = true;
}
}

add_action( 'parse_query', 'fb_filter_query' );
add_filter( 'get_search_form', create_function( '$a', "return null;" ) );

to the theme’s functions.php file.

Note: if you set $error to be true, then the user will be redirected to your 404 page (theme’s 404.php must exist). If you set it as false, then the user stays at the page where they tried to run the search.
(script borrowed from WPBeginner.com)

Of course if your template has some search button, that would need to be separately removed in the css. Of course, removing the button alone is not enough.To remove the search button in Twenty Fourteen, this theme add this to your .css:

.search-toggle { display: none; }

Another mitigation might be to disable WordPress’s default search feature and enable something like the WP Google Search plugin and widget which leverage Google’s search engines to serve your site.

 

Cyberwar on free speech and small businesses

The last month has seen an major increase in international cyber warfare, first we had North Korea hacking Sony, apart from the embarrassment caused by leaked documents, forced them to shut down their entire network, and they claim still some of their computers don’t work, all at an expected cost of $169m, the stated reason North Korea launched this attack at the time was the upcoming release of the comedy film The Interview which ridiculed their dictator Kim Jong-un, although North Korea never admitted their involvement there is compelling evidence.

Cinemas refused to show the film fearing both for their online and physical security, I am pleased to say that Sony did the right thing and released the film online.

Will Sony be brave enough to take on a film that might upset those that might be offended in the future, that sadly I doubt, and I think we see that all media has now been silenced, we can see this in my next example, only a couple of weeks ago, jihadist attacked the offices of the Charlie Hebdo satirical magazine in Paris, murdering 12 staff, including the 5 cartoonists who’s only crime was exercising their wit with satirical cartoons, but this was not the cyber attack, what followed was 19,000 French websites hacked, the vast majority we’re not targeted and had no connection to Charlie Hebdo, they were mostly just small businesses with lax security.
But what did happen and proved how scared the media were, terrorized even, was the refusal to publish even one of the Charlie Hebdo cartoons that had caused the offence, I understand that they might not normally show this sort of material, but when it is the subject matter of a major news story their absence can only mean that the threats have worked and true freedom of speech is dead, not by some change in the law, but from cyber and physical terrorism.
Cyber Attacks are taking centre stage at the Davos 2015, the World Economic Forum, with “a report that warns failing to improve cyber security could cost the global economy $3tn” While Sony, the blue chips, infrastructure and government are sure to benefit from any investment, I don’t expect to see any help for the small businesses and blogs, and as we have seen with the 19,000 French sites, and although not free speech related, we saw a similar attack last year on a country’s random small vulnerable sites, again mostly small businesses in Israel.
I think Craig Hockenberry‘s recent DDoS attack is an interesting and worrying story and we will be hearing a lot more of these type of cyber attacks in the future, all those country’s/regime’s that that wish to direct all speech to protect its own interests and block access to internet traffic, the way they block their citizens (or if you like prisoners) from accessing certain parts of the internet (I hear Disney is blocked in Iran) is to poison the DNS, so when you type in some restricted site, you are taken to some other place, it could be any site they want taken down, as the effect is a massive DDoS, and as a friend of Craig’s said “They have weaponized their entire population”.