xmlrpc and bots

Some time ago, I was told I should give back to the Internet and post some technical musings. As one does, I grabbed some off the shelf software and set up Apache on a little tiny virtual server. Off we went.

Some time later, I started getting alarms that the host was not responding or that one of the services had crashed. I’d fix the issue and some time later it would happen again.

Digging into this a little deeper I saw that all of the available Apache threads were active but there was little activity in the access/error logs. Something was causing them to hang. In response to this, I cranked down the time-outs in Apache.

This worked a little.

The site was afloat for longer periods of time before it would crash or hang. In digging deeper, I notice that xmlrpc.php was being hit more than occasionally. What the heck is xmlrpc.php?

From xmlrpc.com:

It’s a spec and a set of implementations that allow software running on disparate operating systems, running in different environments to make procedure calls over the Internet.

It’s remote procedure calling using HTTP as the transport and XML as the encoding. XML-RPC is designed to be as simple as possible, while allowing complex data structures to be transmitted, processed and returned.

Okay, so it’s a service in WordPress that allows for remote calls to be made, much like RPC. I’m not sure I need that service…Wait…What’s that link a few down in my Google Search.

WordPress “Pingback” DDoS Attacks

Crap snacks…

Turns out there is an opening in xmlrpc which allows for malicious types to send requests from my host to victims systems. WordPress had this service enabled by default. I went through and disable it in 3 different ways! Lo and behold, my site stopped crashing!

Looking at the logs, I see that more bots than available Apache threads are trying open xmlrpc.php. They would connect and hold the connection open while DDoSing some poor soul. This is what was causing the site to stop responding.

Hmmm…I wonder if those Internet Security researches have my site in their databa..oh..yeah…there I am…shucks.

Sorry poor hapless DDoS recipients. Mea culpa!

Blocking Web Ads

While wandering through the Interwebs, I happened across a interesting post on blocking your ads with Bind9 and an IP blacklist here.  The instructions looked pretty simple, and, being a geek technical professional, I had a Bind sever running at home. I gave it a go and thought nothing more of it.

The next day I got a small start, when I saw a whole bunch of 404s on the web server running on that host. It shouldn’t be contactable from the Interwho. A moment passes and I realize it’s the lookups for the blacklist hosts hitting my web server. What the heck? I am running AdBlock Plus. I guess some are still slipping through the cracks. Quite a few it seems!

Seeing the value in running this all over the place, I figured I’d whip up a Docker container for deploying this quickly and simply.  Grab the docker image thusly:

docker pull  matt604/docker-ad-blocking-dns

or the Dockerfile, et al. are here