xmlrpc.php DDOS attack - Wordpress

A webserver I look after was getting pounded heavily from multiple external addresses with the xmlrpc.php wordpress attack.
Since it was from multiple sources, a blacklist was not helpful and I ended up using a L7 rule to stop all the attacks.

You will see this in your apache access.log Notice them spoofing the googlebot as well to make it look like a web crawler.

62.109.8.59 - - [19/Jan/2017:21:37:03 +1100] “POST /xmlrpc.php HTTP/1.0” 200 790 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”
62.109.8.59 - - [19/Jan/2017:21:37:03 +1100] “POST /xmlrpc.php HTTP/1.0” 200 790 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”
62.109.8.59 - - [19/Jan/2017:21:37:04 +1100] “POST /xmlrpc.php HTTP/1.0” 200 790 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”
51.15.45.53 - - [16/Jan/2017:17:55:08 +1100] “POST /xmlrpc.php HTTP/1.0” 200 790 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)”
51.15.45.53 - - [16/Jan/2017:17:55:08 +1100] “POST /xmlrpc.php HTTP/1.0” 200 790 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)”
51.15.45.53 - - [16/Jan/2017:17:55:09 +1100] “POST /xmlrpc.php HTTP/1.0” 200 790 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)”
51.15.45.53 - - [16/Jan/2017:17:55:09 +1100] “POST /xmlrpc.php HTTP/1.0” 200 790 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)”


Solution:
1 - Add the Layer 7 Rule

/ip firewall layer7-protocol add comment="Wordpress Hack" name=aaa-xml-rpc regexp="^.+(xmlrpc.php).*\$"

2 - Create the filter to block using the L7 rule.

/ip firewall filter add action=tarpit chain=forward comment="Wordpress xmlrpc.php hack" dst-address=192.168.0.57 in-interface=ISPLink layer7-protocol=aaa-xml-rpc

Move the rule to the top of the filters and Ensure you see the packets and bytes increasing in the rule counters. The apache logs should be quieter.

dst-address = your web server to protect
in-interface = Your ISP connection to the internet

Hope this helps someone.

Don’t put it on top of the filter list, this will greatly overload your router, if it will check ALL the traffic for content of packet.

First you should allow good traffic, then block stuff like this, after some things are already accepted or dropped. It would also make sense, if you would not check all traffic, but only http traffic.

Some good advice Normis, thanks,
moved my rule down the line as suggested
changed the filter rule to only include traffic on port 80

/ip firewall add action=tarpit chain=forward comment="Wordpress xmlrpc.php hack" dst-address=192.168.0.57 dst-port=80 in-interface=ISPLink layer7-protocol=aaa-xml-rpc protocol=tcp

check if CPU usage is decreased now.

Nice advice Normis, about DDOS attack at Wordpress . Guys I’ve always wanted to learn how to make cool websites at home like my friend did , and now my friend has been making cool websites for schools and universities for a couple of years. I asked him where he learned such sites and he replied that he came across ​​​https://stylemixthemes.com/wordpress-classified-plugin/ and immediately started making very cool sites, and by the way, he always uses the most top plugins and his sites look just perfect. Well, in short, I have been learning how to make websites for more than six months, and I advise everyone to learn it.