About PPF

Pingback is the web's original cross-site notification protocol, dating back to 2002. When you link to another site, your server can automatically notify theirs. No API keys, no account registration, no central authority – just the open web doing its thing.

The problem? Anyone can send a Pingback claiming any source URL. This makes it trivially easy to abuse: point thousands of Pingback receivers at a victim's site and they all try to fetch from it simultaneously. The victim gets DDoSed by servers trying to be polite.

Email had the same problem. Before SPF¹, anyone could send an email claiming to be from any domain – a technique known as "Joe jobbing". SPF solved this by letting domain owners publish a DNS record declaring which servers are authorised to send email on their behalf. Receivers check the record before accepting the message.

PPF – Pingback Permitted From – applies the same pattern to Pingback. A simple DNS TXT record declares which hosts may send Pingbacks for your domain. Receivers check the record before fetching your source URL. Amplification attacks become ineffective because the DNS check happens before any HTTP request touches your server.

Why now?

A couple of years ago, while working on WP fail2ban, I started looking at what other aspects of WordPress security I could improve. Pingbacks caught my attention – the amplification vulnerability has been known for years, but nobody had properly fixed it.

WordPress's response was to limit the pingback response size to 150KB. That's a bodge, not a fix – and it can break legitimate pingbacks if the reciprocal link happens to appear after the 150KB mark. The underlying problem remained: no sender authentication.

The solution came to me in the shower (as so many good ideas do): email had the same problem with "Joe jobs", so pingbacks could have the same solution. It took AI getting better (who wants to write the tedious parts of a spec?) and some free time over Christmas, and here we are.

What about Webmention?

Webmention was supposed to be the modern replacement for Pingback, and it made it through the W3C process. But it inherited the same vulnerability – receivers still fetch the source URL to verify the link exists. The spec recommends async processing and timeouts as mitigations, but that protects the receiver, not the claimed source. An attacker can still trigger thousands of receivers to fetch from a victim.

Besides, Webmention never achieved significant adoption. WordPress still ships with Pingback enabled by default, on millions of sites. If we're going to fix the problem, we should fix it where it exists.

Implementations

Infrastructure

Hosting providers can deploy PPF records for all customers with a single include: mechanism. CDN providers are well-positioned to offer PPF proxy services, aggregating reputation data across many sites.

Get involved

The specification is at version 0.9. We're looking for feedback from implementers, CDN providers, and hosting companies. Early adopters who publish PPF records help drive the transition from permissive to strict enforcement.

¹ SPF – Sender Policy Framework (originally "Sender Permitted From") – is a DNS-based email authentication method that lets domain owners specify which mail servers are authorised to send email on their behalf. It's been in widespread use since 2003 and is defined in RFC 7208. ↩