Pingback

Last updated

A pingback is one of four types of linkback methods for Web authors to request notification when somebody links to one of their documents. This enables authors to keep track of who is linking to, or referring to their articles. Some weblog software and content management systems, such as WordPress, Movable Type, Serendipity, and Telligent Community, support automatic pingbacks where all the links in a published article can be pinged when the article is published. Other content management systems, such as Drupal and Joomla, support pingbacks through the use of addons or extensions.

Contents

Essentially, a pingback is an XML-RPC request (not to be confused with an ICMP ping) sent from Site A to Site B, when an author of the blog at Site A writes a post that links to Site B. The request includes the URI of the linking page. When Site B receives the notification signal, it automatically goes back to Site A checking for the existence of a live incoming link. If that link exists, the pingback is recorded successfully. This makes pingbacks less prone to spam than trackbacks. Pingback-enabled resources must either use an X-Pingback header or contain a <link> element to the XML-RPC script.

History

The Pingback specification was developed in 2002 by Stuart Langridge, Simon Willison, and Ian Hickson. [1] [2] [3] [4] [5]

Exploits

In March 2014, Akamai published a report about a widely seen exploit involving pingback that targets vulnerable WordPress sites. [6] This exploit led to massive abuse of legitimate blogs and websites and turned them into unwilling participants in a DDoS attack. [7] Details about this vulnerability have been publicized since 2012, [8] with Akismet reporting in 2013 that "almost 100% of trackbacks and pingbacks are spam". [9]

The pingback attacks consist of "reflection" and "amplification": an attacker sends a pingback to a legitimate Blog A, but providing information of the legitimate Blog B (impersonation). [10] Then, Blog A needs to check Blog B for the existence of the informed link, as it's how the pingback protocol works, and thus it downloads the page off Blog B server's, causing a reflection. [10] If the target page is big, this amplifies the attack, because a small request sent to Blog A causes it to make a big request to Blog B. [10] This can lead to 10x, 20x, and even bigger amplifications (DoS). [10] It's even possible to use multiple reflectors, to prevent exhausting each of them, and use the combined amplification power of each to exhaust the target Blog B, being by overloading bandwidth or the server CPU (DDoS). [10]

WordPress changed a bit how the pingback feature works to mitigate this kind of vulnerability: the IP address that originated the pingback (the attacker address) started being recorded, and thus shown in the log. [11] Notwithstanding, in 2016, pingback attacks continued to exist, supposedly because the website owners don't check the user agent logs, that have the real IP addresses. [11] [10] It has to be noted that, if the attacker is more than a script kiddie, he will know how to prevent his IP address being recorded, by, for example, sending the request from another machine/site, so that this machine/site IP address is recorded instead, and the IP logging then, becomes less worthy. [12] Thus, it's still recommended to disable the pingbacks, to prevent attacking other sites (although this does not prevent being target of attacks). [11]

See also

Related Research Articles

<span class="mw-page-title-main">Denial-of-service attack</span> Type of cyber-attack

In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. The range of attacks varies widely, spanning from inundating a server with millions of requests to slow its performance, overwhelming a server with a substantial amount of invalid data, to submitting requests with an illegitimate IP address.

<span class="mw-page-title-main">IP address spoofing</span> Creating IP packets using a false IP address

In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of impersonating another computing system.

Spamdexing is the deliberate manipulation of search engine indexes. It involves a number of methods, such as link building and repeating unrelated phrases, to manipulate the relevance or prominence of resources indexed in a manner inconsistent with the purpose of the indexing system.

A trackback allows one website to notify another about an update. It is one of four types of linkback methods for website authors to request notification when somebody links to one of their documents. This enables authors to keep track of who is linking to their articles. Some weblog software, such as SilverStripe, WordPress, Drupal, and Movable Type, supports automatic pingbacks where all the links in a published article can be pinged when the article is published. The term is used colloquially for any kind of linkback.

Spam in blogs is a form of spamdexing which utilizes internet sites that allow content to be publicly posted, in order to artificially inflate their website ranking by linking back to their web pages. Backlinking helps search algorithms determine the popularity of a web page, which plays a major role for search engines like Google and Microsoft Bing to decide a web page ranking on a certain search query. This helps the spammer's website to list ahead of other sites for certain searches, which helps them to increase the number of visitors to their website.

<span class="mw-page-title-main">The Spamhaus Project</span> Organization targetting email spammers

The Spamhaus Project is an international organisation based in the Principality of Andorra, founded in 1998 by Steve Linford to take action against what they allege to be spammers. The correctness of this assessment by Spamhaus is regularly disputed. If the assessment is based on objective characteristics or on standards set by Spamhaus itself is disputed. The name spamhaus, a pseudo-German expression, was coined by Linford to refer to an internet service provider, or other firm, which spams or knowingly provides service to spammers. Spamhaus has been criticized to purposely hide all direct methods of contact from its webpages to avoid transparency, while asking transparency from others.

SpamCop is an email spam reporting service, allowing recipients of unsolicited bulk or commercial email to report IP addresses found by SpamCop's analysis to be senders of the spam to the abuse reporting addresses of those IP addresses. SpamCop uses these reports to compile a list of computers sending spam called the "SpamCop Blocking List" or "SpamCop Blacklist" (SCBL).

In blogging, a ping is an XML-RPC-based push mechanism by which a weblog notifies a server that its content has been updated. An XML-RPC signal is sent from the weblog to one or more Ping servers, as specified by originating weblog), to notify a list of their "Services" of new content on the weblog.

This is a list of blogging terms. Blogging, like any hobby, has developed something of a specialized vocabulary. The following is an attempt to explain a few of the more common phrases and words, including etymologies when not obvious.

<span class="mw-page-title-main">Blue Frog</span>

Blue Frog was a freely-licensed anti-spam tool produced by Blue Security Inc. and operated as part of a community-based system which tried to persuade spammers to remove community members' addresses from their mailing lists by automating the complaint process for each user as spam is received. Blue Security maintained these addresses in a hashed form in a Do Not Intrude Registry, and spammers could use free tools to clean their lists. The tool was discontinued in 2006.

<span class="mw-page-title-main">LifeType</span> Blogging platform

LifeType is an open-source blogging platform with support for multiple blogs and users in a single installation. It is written in PHP and backed by a MySQL database. LifeType is licensed under the GNU General Public License.

In networking, a black hole refers to a place in the network where incoming or outgoing traffic is silently discarded, without informing the source that the data did not reach its intended recipient.

A refback is one of four types of linkbacks, methods for Web authors to request notification when somebody links to one of their documents. This enables authors to keep track of who is linking to, or referring to their articles.

A linkback is a method for Web authors to obtain notifications when other authors link to one of their documents. This enables authors to keep track of who is linking to, or referring to, their articles. The four methods differ in how they accomplish this task.

<i>Serendipity</i> (software)

Serendipity is a blog and web-based content management system written in PHP and available under a BSD license. It supports PostgreSQL, MySQL, SQLite database backends, the Smarty template engine, and a plugin architecture for user contributed modifications.

<span class="mw-page-title-main">Fail2ban</span> Intrusion prevention software framework

Fail2Ban is an intrusion prevention software framework. Written in the Python programming language, it is designed to prevent brute-force attacks. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, such as iptables or TCP Wrapper.

<span class="mw-page-title-main">Simon Willison</span> Computer programmer

Simon Willison is a British programmer, co-founder of the social conference directory Lanyrd, and co-creator of the Django Web framework.

Email spammers have developed a variety of ways to deliver email spam throughout the years, such as mass-creating accounts on services such as Hotmail or using another person's network to send email spam. Many techniques to block, filter, or otherwise remove email spam from inboxes have been developed by internet users, system administrators and internet service providers. Due to this, email spammers have developed their own techniques to send email spam, which are listed below.

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website or web application where unauthorized commands are submitted from a user that the web application trusts. There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript fetch or XMLHttpRequests, for example, can all work without the user's interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account.

Webmention is a W3C recommendation that describes a simple protocol to notify any URL when a website links to it, and for web pages to request notifications when somebody links to them. Webmention was originally developed in the IndieWebCamp community and published as a W3C working draft on January 12, 2016. As of January 12, 2017 it is a W3C recommendation. Webmention enables authors to keep track of who is linking to, referring to, or commenting on their articles. By incorporating such comments from other sites, sites themselves provide federated commenting functionality.

References

  1. Langridge, Stuart (7 July 2002). "Making TrackBack happen automatically". Archived from the original on 2002-12-22. Retrieved 2022-05-31.
  2. Willison, Simon (2 September 2002). "Pingback implemented". simonwillison.net. Retrieved 2022-05-31.
  3. Hickson, Ian (2002-09-23). "Hixie's Natural Log: Pingback 1.0". ln.hixie.ch. Archived from the original on 2002-12-06. Retrieved 2022-05-31.
  4. "Pingback 1.0". simonwillison.net. 2002-09-24. Archived from the original on 2003-08-26. Retrieved 2022-05-31.
  5. "Pingback 1.0". www.hixie.ch. Retrieved 2022-05-31.
  6. Brenner, Bill. "Anatomy of Wordpress XML-RPC Pingback Attacks". The Akamai Blog, March 31, 2014 5:42 AM. Retrieved July 7, 2014.
  7. Cid, Daniel (10 March 2014). "More Than 162,000 WordPress Sites Used for Distributed Denial of Service Attack". Sucuri Blog, March 10, 2014. Retrieved July 7, 2014.
  8. Calin, Bogdan (17 December 2012). "WordPress Pingback Vulnerability". Accunetix, December 17, 2012 - 01:17pm. Retrieved July 7, 2014.
  9. Susan Richards (2013-05-21). "Spammers use trackbacks, pingbacks, and reblogs". PIED TYPE. Retrieved 2022-05-31.
  10. 1 2 3 4 5 6 Krassi Tzvetanov (May 4, 2016). "WordPress pingback attack". A10 Networks. Retrieved 2 February 2017. This issue arises from the fact that it is possible for an attacker A to impersonate T's blog by connecting to R's blog and sending a link notification that specifies T's blog as the origination of the notification. At that point, K will automatically attempt to connect to T to download the blog post. This is called reflection. If the attacker were careful to select a URL that has a lot of information in it, this would cause amplification. In other words, for a relatively small request from the attacker (A) to the reflector, the reflector (R) will connect to the target (T) and cause a large amount of traffic. [...] On the reflector side for the 200-byte request, the response can easily be thousands of bytes – resulting in a multiplication that starts in the 10x, 20x and more. [...] To avoid overloading the reflector, multiple reflectors can be employed to scale up. Thus, the target will have their outgoing bandwidth, and possibly compute resources, exhausted. [...] Another point to consider is the compute resources tied to the target side. If considering a page that is computationally expensive to produce, it may be more efficient for the attacker to overload the CPU of a system versus the bandwidth of the connection. [...] This is not the first time a CMS, and in particular WordPress, has been used for DDoS or other malicious activity. To a very large extent, this is because WordPress appeals to users that do not have the resources to manage their websites and they often use WordPress to make their job easier. As a result, many users do not have an adequate patch management program or proper monitoring to observe irregularities in their traffic.
  11. 1 2 3 Daniel Cid (February 17, 2016). "WordPress Sites Leveraged in Layer 7 DDoS Campaigns". Sucuri. Retrieved 2 February 2017. Starting in version 3.9, WordPress started to record the IP address of where the pingback request originated. That diminished the value of using WordPress as part of an attack; the platform would now record the attackers original IP address and it would show up in the log user agent. [...] Despite the potential reduction in value with the IP logging, attackers are still using this technique. Likely because website owners rarely check the user agent logs to derive the real IP address of visitors. [...] Although it is great that WordPress is logging the attacker IP address on newer releases, we still recommend that you disable pingbacks on your site. It won't protect you from being attacked, but will stop your site from attacking others.
  12. Tim Butler (25 Nov 2016). "Analysis of a WordPress Pingback DDOS Attack". Conetix. Retrieved 2 February 2017. One enhancement WordPress added to the pingbacks in 3.7, which at least tracked the originating IP of the request. While this doesn't solve the problem, it at least allows you to trace where the calls are coming from. Unless the attacker is very, very naive however, this IP will simply trace back to another infected machine or site. Generally these requesting systems are part of a botnet to mask and distribute the requests. [...] The pingback tool within WordPress still remains an exploitable system for any WordPress site which hasn't explicitly stopped it. From a web host's perspective, this is quite frustrating.