Et tu, Bruteforce?

By | April 8, 2017

In the time that I’ve had this site up and running there have been numerous “attacks” on it. Attack in this context means someone/something is trying to gain access to or bring down the server. Wordfence, a WordPress plugin, usually takes care of the threat automatically. However this time, a device from somewhere in Netherlands has been repeatedly accessing my xmlrpc.php, a common target for WordPress sites. And the IP address was not automatically blocked when it began making thousands of requests, maybe because it was coming from a source that has not yet been flagged as malicious. The link I just provided explains that the attack is exploiting a service so it can make hundreds, if not thousands of login attempts for each request (typically you get one attempt per request). This means that a brute-force attack, which is normally impractical if you have a strong password, suddenly becomes a realistic attack.activity log flood

To get an idea of how long it takes to guess a password, try typing an example password here. Depending on how many guesses per second, a strong password may take years to guess. But with this exploit, it seems that it could take as little as a few weeks. Fortunately, my small website usually keels over and dies if it gets more than a few thousand requests per hour. Which it did the last time it was attacked from Netherlands, and on the 5th just now:


Where the huge spikes drop off immediately, that’s my database crashing, making any login attempt impossible. The attacker basically locked themselves out of my site by making requests too rapidly. Which is too bad for them because I might not have noticed otherwise, and their entire network is now blocked in my settings. I guess Amazon free tier finally paid off /s


Leave a Reply

Your email address will not be published.