Welcome!

Blog Feed Post

The Curious Case of the WordPress Docker Container and the Devious XML-RPC Denial of Service Attack

Republished from 04/29 as it was lost due to a Docker Container crash… Irony!

I have an article in the recently released “DZone Guide to Building and Deploying Applications on the Cloud” entitled “Fullstack Engineering in the Age of Hybrid Cloud”. In this article I discuss the need and skills of a Fullstack Engineer with relation to troubleshooting and repairing complex, distributed hybrid cloud applications. My recent experiences with troubleshooting issues with my Docker WordPress container only reinforce the details I wrote about in this piece. Without my comprehensive understanding of both the infrastructure and application layer I don’t believe I could have achieved resolution (if I have, but more on that later).

1969479-dz-cloud2016cover-lgMy Docker WordPress container has always had issues with the “Error Connecting to Database” issue, but initially it would happen once a month and I would just re-start the container. I had read that the issue was fixed by moving to WordPress 4.5, so I upgraded, which came with its own challenges given these containers are supposed to be immutable.

Unfortunately, I designed my container when Docker architecture was in its infancy and so separating out and linking a MySQL container and the WordPress container as well as storing data on a separate volume are all features which emerged, or became more easily used, in later versions. Eventually, I will need redesign around 1.11 features, but for now, I’m just trying to keep up what I currently have. I did try just moving the database files onto permanent storage mapped in to the container as a volume, but all I did was fight with file permissions for a day and MySQL never ended up starting.

Recently, it became more and more difficult to keep the container up, so I upgraded to the latest Ubuntu 14.04 kernel and when that didn’t seem to help the issue I upgraded Docker from 1.4 to 1.11. None of these seemed to correct the issue. However, Docker 1.11 leverages the new architecture and uses cgroups, which resulted in cgroup out of memory thread killer posting messages to my console.

Screen Shot 2016-04-29 at 6.13.20 AM

Now, I could see that mysqld was being terminated at some point due to insufficient memory. To solve the memory issue, I tried optimizing the WordPress LAMP stack for low memory and even migrated from a 1G virtual machine to a 2G instance. It seems no matter how much memory I threw at this problem the longest the WordPress site would be active before the database connection issue appeared was an hour.

Totally baffled at this point, I started chasing down a lead regarding WordPress issues occurring on my cloud service provider. It seemed the issue I was seeing was happening to many others on Digital Ocean, perhaps this was a VPS (DO’s Droplet architecture is VPS-based) issue and not a Docker issue. DO responded on its forum to the various postings stating that running out of memory is common result of the known XML-RPC Denial of Service attack.  XML-RPC is the API interface for WordPress.

Wait! What am I doing? No one’s going to bother attacking my little old blog, it can’t be that. Back to optimizing memory use. Oh crud, this is still not getting me anywhere after two weeks.

Unfortunately, again my immutable container architecture limited my ability to see logs and SSH connections were often terminated due to low memory as well. Once I terminated the container without committing the container the logs were lost. So, I had to modify the current container to use an external volume for all the log files and now wrote them out to permanent storage.

Whoa! What do I find in the apache2 access.log after the next time the issue occurs? Well, when I did a tail of the last 200 entries I found my site was being attacked by a Googlebot, and there were a lot more entries in addition to those. In the end, I was a victim of a denial of service attack.

I believe its important to look at what data I had available and the characteristics identified by the logs and error messages. Nothing screamed DoS attack consuming mass number of threads on the Apache server and driving memory usage to 0 so that the memory manager was sacrificing threads to keep the OS alive (does that make anyone else think of Kirk screaming to Scotty, “all power to life support”?). When the attack stopped, mysqld_safe restored the thread, but it seems the socket or some other interprocess mechanism didn’t allow WordPress to communicate with the MySQL.

Piecing this together after the fact required a mix of skills. It might have been easier if I was doing live monitoring and tracking inbound requests while also constantly checking that WordPress could communicate MySQL, but realistically, this is a dramatic step when all else has failed.

Through this I learned a lot about container architecture, but this issue is probably still lingering. I’m just denying all requests to access XML-RPC from outside IP addresses at this time and the WordPress has been up for over 24 hours. More importantly, it really reinforces what I wrote about in the article and I don’t believe I could have reached this point if I didn’t have a good understanding of the infrastructure, operating system, networking, Docker and LAMP stack

Read the original blog entry...

More Stories By JP Morgenthal

JP Morgenthal is a veteran IT solutions executive and Distinguished Engineer with CSC. He has been delivering IT services to business leaders for the past 30 years and is a recognized thought-leader in applying emerging technology for business growth and innovation. JP's strengths center around transformation and modernization leveraging next generation platforms and technologies. He has held technical executive roles in multiple businesses including: CTO, Chief Architect and Founder/CEO. Areas of expertise for JP include strategy, architecture, application development, infrastructure and operations, cloud computing, DevOps, and integration. JP is a published author with four trade publications with his most recent being “Cloud Computing: Assessing the Risks”. JP holds both a Masters and Bachelors of Science in Computer Science from Hofstra University.

Latest Stories
As businesses evolve, they need technology that is simple to help them succeed today and flexible enough to help them build for tomorrow. Chrome is fit for the workplace of the future — providing a secure, consistent user experience across a range of devices that can be used anywhere. In her session at 21st Cloud Expo, Vidya Nagarajan, a Senior Product Manager at Google, will take a look at various options as to how ChromeOS can be leveraged to interact with people on the devices, and formats th...
First generation hyperconverged solutions have taken the data center by storm, rapidly proliferating in pockets everywhere to provide further consolidation of floor space and workloads. These first generation solutions are not without challenges, however. In his session at 21st Cloud Expo, Wes Talbert, a Principal Architect and results-driven enterprise sales leader at NetApp, will discuss how the HCI solution of tomorrow will integrate with the public cloud to deliver a quality hybrid cloud e...
Is advanced scheduling in Kubernetes achievable? Yes, however, how do you properly accommodate every real-life scenario that a Kubernetes user might encounter? How do you leverage advanced scheduling techniques to shape and describe each scenario in easy-to-use rules and configurations? In his session at @DevOpsSummit at 21st Cloud Expo, Oleg Chunikhin, CTO at Kublr, will answer these questions and demonstrate techniques for implementing advanced scheduling. For example, using spot instances ...
The next XaaS is CICDaaS. Why? Because CICD saves developers a huge amount of time. CD is an especially great option for projects that require multiple and frequent contributions to be integrated. But… securing CICD best practices is an emerging, essential, yet little understood practice for DevOps teams and their Cloud Service Providers. The only way to get CICD to work in a highly secure environment takes collaboration, patience and persistence. Building CICD in the cloud requires rigorous ar...
SYS-CON Events announced today that Yuasa System will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Yuasa System is introducing a multi-purpose endurance testing system for flexible displays, OLED devices, flexible substrates, flat cables, and films in smartphones, wearables, automobiles, and healthcare.
Companies are harnessing data in ways we once associated with science fiction. Analysts have access to a plethora of visualization and reporting tools, but considering the vast amount of data businesses collect and limitations of CPUs, end users are forced to design their structures and systems with limitations. Until now. As the cloud toolkit to analyze data has evolved, GPUs have stepped in to massively parallel SQL, visualization and machine learning.
The session is centered around the tracing of systems on cloud using technologies like ebpf. The goal is to talk about what this technology is all about and what purpose it serves. In his session at 21st Cloud Expo, Shashank Jain, Development Architect at SAP, will touch upon concepts of observability in the cloud and also some of the challenges we have. Generally most cloud-based monitoring tools capture details at a very granular level. To troubleshoot problems this might not be good enough.
Organizations do not need a Big Data strategy; they need a business strategy that incorporates Big Data. Most organizations lack a road map for using Big Data to optimize key business processes, deliver a differentiated customer experience, or uncover new business opportunities. They do not understand what’s possible with respect to integrating Big Data into the business model.
When it comes to cloud computing, the ability to turn massive amounts of compute cores on and off on demand sounds attractive to IT staff, who need to manage peaks and valleys in user activity. With cloud bursting, the majority of the data can stay on premises while tapping into compute from public cloud providers, reducing risk and minimizing need to move large files. In his session at 18th Cloud Expo, Scott Jeschonek, Director of Product Management at Avere Systems, discussed the IT and busine...
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities – ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups. As a result, many firms employ new business models that place enormous impor...
SYS-CON Events announced today that Taica will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Taica manufacturers Alpha-GEL brand silicone components and materials, which maintain outstanding performance over a wide temperature range -40C to +200C. For more information, visit http://www.taica.co.jp/english/.
SYS-CON Events announced today that Dasher Technologies will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Dasher Technologies, Inc. ® is a premier IT solution provider that delivers expert technical resources along with trusted account executives to architect and deliver complete IT solutions and services to help our clients execute their goals, plans and objectives. Since 1999, we'v...
Recently, REAN Cloud built a digital concierge for a North Carolina hospital that had observed that most patient call button questions were repetitive. In addition, the paper-based process used to measure patient health metrics was laborious, not in real-time and sometimes error-prone. In their session at 21st Cloud Expo, Sean Finnerty, Executive Director, Practice Lead, Health Care & Life Science at REAN Cloud, and Dr. S.P.T. Krishnan, Principal Architect at REAN Cloud, will discuss how they b...
We all know that end users experience the Internet primarily with mobile devices. From an app development perspective, we know that successfully responding to the needs of mobile customers depends on rapid DevOps – failing fast, in short, until the right solution evolves in your customers' relationship to your business. Whether you’re decomposing an SOA monolith, or developing a new application cloud natively, it’s not a question of using microservices – not doing so will be a path to eventual b...
SYS-CON Events announced today that TidalScale, a leading provider of systems and services, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. TidalScale has been involved in shaping the computing landscape. They've designed, developed and deployed some of the most important and successful systems and services in the history of the computing industry - internet, Ethernet, operating s...