0

I've had some DDoS issues - specifically the XML-RPC exploit (wordpress) wherein thousands on thousands of Wordpress instances attack my machine.

I have the following in my nginx server block: if ($http_user_agent ~ WordPress) { return 444; }

While it does terminate all of the wordpress connections, it still overloads the CPU.

Here are my server specs:

Ubuntu 16.04 LTS - E3-1230v5, 16G DDR4, and a SSD.

I would've assumed that it would be able to handle far more, but that doesn't appear to be the case. I have attempted to block the wordpress useragent automatically using fail2ban, but all that appeared to do is create a few thousand iptables rules and no end in sight.

Is there a more performant way to block this attack? Thanks.

Jenny D
  • 27,358
  • 21
  • 74
  • 110
night
  • 9
  • 2

1 Answers1

1

Is Nginx overloading your CPU? Then you're being target of a sizeable DDoS attack. (Here's a nice explanation of the XML-RPC reflection attack with WordPress.)

I don't think you'll get a better result than what you've already done just with Nginx.

You can try using something like CloudFlare. Keep in mind, though, that you should change your IP to hide behind CloudFlare (if your attacker knows your IP, he/she can still circumvent CloudFlare by sending requests to your IP).

Pablo M
  • 298
  • 1
  • 6
  • Hmm, I originally thought it was a sizeable attack -however, there only seems to be a handful of requests (10/s or less) going on. – night Jul 02 '16 at 20:08
  • 1
    10 hits/s can overload Wordpress / PHP if it gets all the way through to PHP - PHP is pretty inefficient. If it's only hitting Nginx it shouldn't be an issue. Suggest you completely block XML-RPC regardless of user agent. CloudFlare is a good idea too, they'll remove a lot of bad traffic. There's also a JSON API, disable that too. – Tim Jul 03 '16 at 01:12
  • I am not using wordpress, the attack is overloading nginx itself. There is apparently an attack that allows an attacker to tell wordpress to start flooding my site. I use nginx as a loadbalancer for my node app - simply filtering out the compromised wordpress instances is too taxing for my system. I cannot use Cloudflare due to the requirements of my app. Checking back now, the attack seems to be 20k - nginx was too overloaded for the logfile to be written at a sufficient pace. However, 20k is only a quarter of what I get with a synthetic benchmark with wrk. – night Jul 03 '16 at 21:59