What is the typical nature of xmlrpc attacks?
My web server (which mainly handles Wordpress hosting) gets a continuous stream of xmlrpc requests from random IP's all over the Internet. I'm not directly concerned about exposure to xmlrpc attacks as I have blocked these at the webserver level - however I have also been using fail2ban to block offending IP addresses, but I'm wondering if the trade-off is worth it.
My logic of banning the IP addresses is that these sites are obviously either compromised sites or bad actors, and have no business accessing my server (and CGN is not a major concern for my client base due to its location) - however I am finding the number of IP addresses I am blacklisting is placing a noticeable load on my server and I am wondering if the tradeoffs of blocking IP's at the server level is worth it.
I accept that there will be a significant number of unknowns and some guesswork/postulation in answering the below - but can anyone provide insites into the typical nature of XMLRPC attacks. Any comments related to the following aspects would be highly valued -
- Are systems performing XMLRPC attacks likely to perform other kinds of attacks against my servers?
- Are systems performing XMLRPC attacks more likely to be compromised computers/botnet traffic
- If systems are compromised computers/botnets, can anyone provide comment/insites into how long compromised systems are typically compromised? (At the moment I ban IP's for 10 days, but this is arbitrary. A shorter period would likely put a little less strain on my server)
