Texas NORML and XMLRPC

The 86th Regular session of the Texas Legislature is off to a start. It’s the 140 day window out of the two year period where representatives and senators can change Texas laws without the governor calling a special session. For advocacy groups and lobbyists alike it’s a busy time as the masses convene on the capital to crusade for change in the laws of the land.

Texas is behind when it comes to the reform of Cannabis laws. From the criminal justice reform, medical access, and industrial hemp perspectives Texas citizens are effectively criminals because the laws don’t match the actual science surrounding the plant.

One of the many groups working to bring about change in the area is the Texas chapter of the National Organization for the Reform of Marijuana Laws. The site texasnorml.org will see it’s peak with a regular updates and legislative action campaigns, citizen call to action posts, and back to back events between monthly meetings and committee hearings at the capital itself. With the influx in traffic things are prone to slow down a bit, especially if the entire site isn’t making use of static content.

While reviewing the access and error_logs for the domain there were more requests for xmlrpc.php than any other request. The view of the cloudflare portal immediately confirms the issue.

 

From the screenshot above we can see the total web requests, cached requests (cloudflare saved the results so it didn’t need to ask the origin web server again), and uncached requests (cloudflare passed the request to the origin server). For a site that is primarily focused on reaching a Texas audience the stats above should stand out. IP’s out of the Malaysia region accounted for almost twice the traffic seen from all IP addresses and connections in the United States. The 4.3 million requests were entirely bot net driven and they all targeted xmlrpc.php.

In response two custom firewall rules were added in the CloudFlare Web Application Firewall (WAF) configurations. For starters, while otherwise reserved for very special circumstances, Malaysia was blocked entirely. There is a concern in blocking by origin. With IPv4 depletion net blocks are often reassigned. Some IP ranges that were once associated with a particular region can be reassigned. The need to keep GeoIP data updated is a never ending battle. After blocking Malaysia the traffic to xmlrpc.php slowed considerably but there were still signs of other (likely compromised hosts running WordPress themselves) hammering texasnorml.org/xmlrpc.php. This is where the second WAF rule came into place. The end result being that any direct calls to the URL will be blocked upstream:

While it is likely that the bots were trying to exploit the WP system.multicall functions the end result was that the excessive resource usage on the host was eradicated. It would have been effective to use .htaccess rules for the same blocks but care would need to be taken to ensure that any triggered 403 permission denied or redirect actions didn’t also lead to a dynamic page load that would cause extra resource usage to fulfill the bots requests.

 

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *