Re: how to block bad request?
Hi Mark, Thank you. I enabled debugging and able to reproduce (close to matching, but not exact same output) send null byte $ echo -e '\x00' | nc myhost.com 80 HTTP/1.1 400 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 1939 Date: Mon, 09 Jan 2023 08:58:52 GMT Connection: close HTTP Status 400 – Bad Requestbody {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}HTTP Status 400 – Bad RequestType Exception ReportMessage Invalid character found in method name [0x00...]. HTTP method names must be tokensDescription The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).Exceptionjava.lang.IllegalArgumentException: Invalid character found in method name [0x00...]. HTTP method names must be tokens org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:418) org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260) org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:845) org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1563) org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) java.basejava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) java.basejava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) java.basejava.lang.Thread.run(Thread.java:834) Note The full stack trace of the root cause is available in the server logs.CustomServer the log file 09-Jan-2023 08:58:50.239 FINE [https-jsse-nio-8474-exec-3] org.apache.coyote.AbstractProcessorLight.process Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@573dbc7:org.apache.tomcat.util.net.SecureNioChannel@304f418e:java.nio.channels.SocketChannel[connected local=/142.222.222.222:8080 remote=/194.111.111.111:9385]], Status in: [OPEN_READ], State out: [OPEN] 09-Jan-2023 08:58:52.867 FINE [http-nio-8084-exec-6] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header java.lang.IllegalArgumentException: Invalid character found in method name [0x00...]. HTTP method names must be tokens at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:418) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:845) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1563) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:834) 09-Jan-2023 08:58:52.867 FINE [http-nio-8084-exec-6] org.apache.coyote.http11.Http11Processor.badRequest The HTTP/1.1 request did not provide a host header 09-Jan-2023 08:58:52.868 FINE [http-nio-8084-exec-6] org.apache.coyote.AbstractProcessorLight.process Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@19369f2d:org.apache.tomcat.util.net.NioChannel@34663eed:java.nio.channels.SocketChannel[connected local=/142.222.222.222:8080 remote=/210.111.111.111:53328]], Status in: [OPEN_READ], State out: [CLOSED] ==> .access_log.2023-01-09.txt <== 210.111.111.111 - 210.111.111.111 - - [09/Jan/2023:08:58:52 +] '-' 400 1939 '-' '-' 686 - in production 206.189.134.129 - 206.189.134.129 - - [09/Jan/2023:06:11:06 +] '-' 400 - '-' '-' 0 - The different is %b - Bytes sent, excluding HTTP headers, or '-' if zero %D - Time taken to process the request in microseconds so I guess the attacker check if the port is opened without sending any bytes and tomcat took 0 second to process. Christopher, no, X-Forwarded-For and %h values are not the same. On Fri, Jan 6, 2023 at 6:30 AM Christopher Schultz wrote: > > Mark, Jason, > > On 1/4/23 09:07, Mark Thomas wrote: > > On 04/01/2023 04:09, Jason Wee wrote: > >> Hi, > >> > >> Happy new year everyone. > >> > >> Background of my production setup. Using tomcat 10 and in linux > >>
Re: how to block bad request?
Mark, Jason, On 1/4/23 09:07, Mark Thomas wrote: On 04/01/2023 04:09, Jason Wee wrote: Hi, Happy new year everyone. Background of my production setup. Using tomcat 10 and in linux environment, using the following accesslog valve %a %{X-Forwarded-For}i %h %l %u %t '%r' %s %b '%{Referer}i' '%{User-Agent}i' %D %S api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - [20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 - api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - [20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 - api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - [20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 - api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 - api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 - api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 - api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 - I often see the above registered in accesslog and have the following questions 1. how/where to find more information about such requests? example how to reproduce of such request, how to enable debug to give more details about such request, etc? Enable debug logging for org.apache.coyote.http11.Http11Processor 2. how to block such requests (at tomcat or at firewall or any other way)? Tomcat has already blocked them. The requests were invalid. Processing stopped as soon as the request was found to be invalid. A 400 response was returned and the connection closed. There is little else Tomcat can do. Options for blocking earlier depend on why the requests are invalid. That said, Tomcat appears to be behind a reverse proxy. In most (all?) cases, I'd expect the proxy to reject the request before it gets to Tomcat. Those requests look like they actually came from the reverse proxy (X-Forwarded-For and %h values are the same). They look a *lot* like "are you alive" requests that reverse proxies will often send to back-end servers to see whether or not real traffic should be sent to those back-end servers. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: how to block bad request?
On 04/01/2023 04:09, Jason Wee wrote: Hi, Happy new year everyone. Background of my production setup. Using tomcat 10 and in linux environment, using the following accesslog valve %a %{X-Forwarded-For}i %h %l %u %t '%r' %s %b '%{Referer}i' '%{User-Agent}i' %D %S api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - [20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 - api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - [20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 - api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - [20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 - api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 - api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 - api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 - api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 - I often see the above registered in accesslog and have the following questions 1. how/where to find more information about such requests? example how to reproduce of such request, how to enable debug to give more details about such request, etc? Enable debug logging for org.apache.coyote.http11.Http11Processor 2. how to block such requests (at tomcat or at firewall or any other way)? Tomcat has already blocked them. The requests were invalid. Processing stopped as soon as the request was found to be invalid. A 400 response was returned and the connection closed. There is little else Tomcat can do. Options for blocking earlier depend on why the requests are invalid. That said, Tomcat appears to be behind a reverse proxy. In most (all?) cases, I'd expect the proxy to reject the request before it gets to Tomcat. 3. what impact it has to tomcat (or service) if these requests come in huge amounts and in a short time. Minimal. Less impact than if valid requests were made since processing stops as soon as the request is found to be invalid. You might want to look at rate limiting abusive clients but in terms of a DoS, a valid request will cause more harm than one of these. Mark Thank you and happy to hear any other comments/opinions too. Kind regards, Jason - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org