Christophe Casalegno

Under WordPress “Pingback” DDoS Attack ? Use iptables

WordPress “Pingback” DDoS attacks can generate a lot of requests to your website that can affect performances and availability.  You can recognize easily this attacks : you just need to do a tail -f  on your logs and you’ll probably see thousand of request that have a User-Agent “WordPress xxxx” on it. I don’t think bots are really interested by your website…
 
You can use rules in your .htaccess to block the user User-Agent but the best method for stopping it without charging your webserver is to use iptables :


iptables -N Wpddosblock
iptables -I INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /' -j Wpddosblock
iptables -A Wpddosblock -p tcp --dport 80 -m string --to 80 --algo bm ! --string 'User-Agent: WordPress/' -j RETURN
iptables -A Wpddosblock -p tcp --dport 80 -m string --to 300 --algo bm --string 'verifying pingback from' -j DROP
iptables -A Wpddosblock -j RETURN

You can also directly download my shellscript that do this for you here : wpddosblock.sh

You can do directly on your server :


wget --no-check-certificate https://www.christophe-casalegno.com/tools/wpddosblock.sh
chmod +x wpddosblock.sh
./wpddosblock.sh

 
If you can’t use iptables because your website use ssl via https, you can also block temporally the request of the attack with your .htaccess or in your vhost configuration.

You can use :


Order Deny,Allow
SetEnvIf User-Agent WordPress keep_out
Deny from env=keep_out

or


RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} WordPress
RewriteRule .* - [F]


Christophe Casalegno
https://twitter.com/Brain0verride

Leave a Comment