On 6/27/10 9:55 PM, Willy Tarreau wrote:
Hi Hank,
On Sun, Jun 27, 2010 at 02:12:35PM -0700, Hank A. Paulson wrote:
I got this error hit via the haproxy socket, I noticed that there are
a few hits when searching for it, all related to corrupt headers with
lighttpd and people seem to be assuming it is lighttpd's fault but in
the case I received, it is clear that there are some junk characters
at the beginning of the request. (Perhaps lighttpd needs an option to
print errors with hex encoding in order to see the characters causing
the problems there)
There is also this proxy blocking module for nginx that lists it when
searching for signs of a proxy:
http://www.linuxboy.net/nginx/ngx_http_proxyblock_module.c.txt
I am wondering if this is some kind of web fuzzer software or if it
is just poorly coded proxy software or if other people have seen
problems with requests with a MT-Proxy-ID. (All the listings that I
have seen, locally and on the web, that include the MT-Proxy-ID
header have the same 1804289383 value.)
Thanks for any insights.
Don't you think this could simply be some discovery attack or bypass
attempts ? The strangest part is the \x00, which, if intentionally
left here, may be present to try to fool some HTTP parsers. Perhaps
it targets a very specific product and was just blocked here. Anyway,
if it's normally encountered with lighttpd, you may want to share that
with the lighttpd guys so that they for once get a full dump of the
abnormal request.
Sorry, I was not clear - the only substantive search results where I find
MT-Proxy-ID have been in some lighttpd discussions. I think they are
mistakenly thinking there is a problem with lighttpd, my guess is that they
are not seeing the junk characters at the beginning of the request and I am
wondering if the software that adds the MT-Proxy-ID header also adds the junk
characters due to poor coding, bugs, malicious purpose, etc.
My one error hit has nothing to do with lighttpd. I just find it odd that the
only references to MT-Proxy-ID are in a few headers in discussions of
problem requests.
Normally with unusual headers/user-agents you will find some search results
with discussions asking about them and discussions of which software or
websites use those headers or user-agent strings, etc. With MT-Proxy-ID I
found none of that maybe the web hits for that string have been removed by
google for some reason :)
[04/Jun/2010:01:40:10.550] frontend abc (#1): invalid request
src w.x.y.z, session #25252051, backendNONE (#-1), serverNONE (#-1)
request length 327 bytes, error at position 0:
0 \x04\x02\x00POST /a/b/c/d HTTP/1.0\r\n
00054 User-Agent: Mozilla/5.0 (compatible; MSIE 6.0;)\r\n
00118 Host: foo.bar\r\n
00137 Accept: */*\r\n
00150 Content-Length: 8\r\n
00169 Content-Type: application/x-www-form-urlencoded\r\n
00218 MT-Proxy-ID: 1804289383\r\n
00243 X-Forwarded-For: x.y.z.w\r\n
00276 Connection: Keep-Alive\r\n
00300 Keep-Alive: 300\r\n
00317 \r\n
00319 xa=23123
Best regards,
Willy
