DDOS

Created by Waterpigs.co.uk on September 16

• Tue, September 16 waterpigs.co.uk Stubbed page with definition, webmention example, potential solutions, example code, myself as indieweb example
• Tue, September 16 waterpigs.co.uk Added additional possible preventative measure, using expiring webmention endpoints
• Tue, September 16 bret.io /* Webmention */
• Tue, September 16 jonnybarnes.uk /* Webmention */ comment that cURL requests should still be possible
• Tue, September 16 www.flutterby.net user:danlyke /* Webmention */ added suggestion to spread load out temporally
• Tue, September 16 waterpigs.co.uk
• Wed, September 17 aaronparecki.com /* Indieweb Examples */
• Thu, September 18 tantek.com add subheads, for each how to method, cluster code/downside of IP checking with that suggestion
• Thu, September 18 tantek.com resources related to the WordPress pingback vulnerability
• Thu, September 18 waterpigs.co.uk Copy edits, moved most commonly implemented fix to the top of the list

This article is a stub. You can help the IndieWebCamp wiki by expanding it.

DDOS stands for Distributed Denial of Service, and refers to an attack involving a large quantity of computers making many simultaneous requests to a single site.

Webmention

As webmention uses the exact same notification/fetch/verify flow as Pingback (but without the unnecessary XMLRPC) it is vulnerable to the known pingback DDOS attack.

Resources related to the WordPress pingback vulnerability:

• Check if your WordPress site was pingback abused
• Beware : Your Site Is Part of a WordPress Pingback DDoS Botnet

Specifically, the attack involves an attacker creating a list of many (potentially hundreds of thousands) of websites which support webmention, and sending them all fake webmentions pointing towards the same source URL. All of the servers fetch the same URL simultaneously, and the victim’s servers are overloaded. The attack is unblockable because the attacks come from many different IP addresses.

How to avoid

There are several possible measures which could be taken to prevent unwitting participation in this attack.

Expiring token in endpoint

Add an expiring, random or encrypted token to webmention endpoints, preventing the accumulation of lists of endpoints and forcing attackers to look up the webmention endpoint of each of the sites they want to use to DDOS a victim.

Check client IP

Check the client IP of the incoming webmention POST request against the possible IPs of the source URL hostname — if they don’t match, ignore the webmention without ever fetching the source URL.

Example PHP webmention endpoint source code:

// Anti-webmention DDOS measures
$sourceIps = gethostbynamel(parse_url($source, PHP_URL_HOST));
if ($sourceIps === false) {
  // The source host cannot be resolved. Accept only if whitelisted IPs match.
  $sourceIps = [];
}

$sourceIps = array_merge($sourceIps, $whitelistedIPs);

if (!in_array($request->getClientIp(), $sourceIps)) {
  // Error!
  return new MentionException('x_request_not_from_source_ip', 'The webmention request didn’t come from an IP address which matched the source hostname.');
}

• This method requires web mentions to be sent by the web server only which isn't necessarily practical all the time. Things like web mention endpoints separate from the web server don't seem possible with this method. This also breaks the use of curl from any IP. This seems overly restrictive. --Bret Comnes 10:38, 16 September 2014 (PDT)
  • As Barnaby notes, the endpoint could accept a hashcash with the request, this should in theory allow one to make requests from cURL --Jonnybarnes.uk 10:50, 16 September 2014 (PDT)

Hashcash

Require a hashcash “payment” parameter or header on incoming webmentions, accepting them if they’ve put enough processing power into the request to slow down a DDOS.

HEAD request source first

(Amplification mitigation) do a HEAD request to the source URL and check for text/html content type. This doesn’t prevent excess requests but it might reduce server load if the attacker is trying to DDOS a large, expensive-to-serve file e.g. video.

Queue and delay GET source

(Immediate load mitigation) queue and randomly delay actually performing the GET request for the source URL.

Indieweb Examples

• Barnaby Walters implemented expiring webmention endpoint tokens as of 2014-09-16; previously had implemented client IP checking on waterpigs.co.uk but ran into problems
• Aaron Parecki implemented expiring webmention endpoints on 2014-09-16. Each request to discover the webmention endpoint for a post results in a unique endpoint that is valid for 5 minutes.
• …add yourself here!

See Also

• webmention
• spam