Within the last week, I’ve noticed that my blog was frequently down with this error:

My first thought was that I must be getting a lot of visits, but eventually everything would go back to normal. So I restarted the mysql server and apache then all was fine. A couple hours later, I tried accessing my blog again and realized it was down again for the upteenth time.

With the small web server I’ve been working on, I decided to see what’s going on and where the traffic is coming from. I stopped my apache server and installed git, java and gradle on my ubuntu instance.

Once I got the code on the ubuntu instance, I started up my simple web server on port 80 and realized something weird…it seems that someone is running a distributed denial of service attack against my wordpress blog. Instead of using several machines, they’re running on the same IP but different port.

Request signature:

Payload:

The attacker is using IP 185.130.5.209 and trying to brute force a post request with some xml file to my wordpress xmlrpc.php page. Notice also they’re trying to access my blog IP directly. It could be some targeted attack against Digital Ocean where my ubuntu instance lives or the attacker just has a list of random IP’s they’re trying to attack. The content length also varies but is always in the 250-300 bytes…283 bytes in the case above.

Knowing this info, I modified my code to match the signature and silently drop the request:

Added a request request filter and defined these values:

The filter method:

Check if the signature match:

Then modified the code that handles the request to simply log the IP

The resulting logs from my simple web server showing the logged request and that the response is dropped:

I will add some more details later, but that’s all for now.