Re: how to block bad request?
Hi Mark,
Thank you. I enabled debugging and able to reproduce (close to
matching, but not exact same output)
send null byte
$ echo -e '\x00' | nc myhost.com 80
HTTP/1.1 400
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 1939
Date: Mon, 09 Jan 2023 08:58:52 GMT
Connection: close
HTTP Status 400 – Bad
Requestbody
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
{color:black;} .line
{height:1px;background-color:#525D76;border:none;}HTTP
Status 400 – Bad RequestType
Exception ReportMessage Invalid character found in
method name [0x00...]. HTTP method names must be
tokensDescription The server cannot or will not process
the request due to something that is perceived to be a client error
(e.g., malformed request syntax, invalid request message framing, or
deceptive request
routing).Exceptionjava.lang.IllegalArgumentException:
Invalid character found in method name [0x00...]. HTTP method names
must be tokens
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:418)
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260)
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:845)
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1563)
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
java.basejava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
java.basejava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
java.basejava.lang.Thread.run(Thread.java:834)
Note The full stack trace of the root cause is
available in the server logs.CustomServer
the log file
09-Jan-2023 08:58:50.239 FINE [https-jsse-nio-8474-exec-3]
org.apache.coyote.AbstractProcessorLight.process Socket:
[org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@573dbc7:org.apache.tomcat.util.net.SecureNioChannel@304f418e:java.nio.channels.SocketChannel[connected
local=/142.222.222.222:8080 remote=/194.111.111.111:9385]], Status in:
[OPEN_READ], State out: [OPEN]
09-Jan-2023 08:58:52.867 FINE [http-nio-8084-exec-6]
org.apache.coyote.http11.Http11Processor.service Error parsing HTTP
request header
java.lang.IllegalArgumentException: Invalid character found in method
name [0x00...]. HTTP method names must be tokens
at
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:418)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260)
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:845)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1563)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)
09-Jan-2023 08:58:52.867 FINE [http-nio-8084-exec-6]
org.apache.coyote.http11.Http11Processor.badRequest The HTTP/1.1
request did not provide a host header
09-Jan-2023 08:58:52.868 FINE [http-nio-8084-exec-6]
org.apache.coyote.AbstractProcessorLight.process Socket:
[org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@19369f2d:org.apache.tomcat.util.net.NioChannel@34663eed:java.nio.channels.SocketChannel[connected
local=/142.222.222.222:8080 remote=/210.111.111.111:53328]], Status
in: [OPEN_READ], State out: [CLOSED]
==> .access_log.2023-01-09.txt <==
210.111.111.111 - 210.111.111.111 - - [09/Jan/2023:08:58:52 +] '-'
400 1939 '-' '-' 686 -
in production
206.189.134.129 - 206.189.134.129 - - [09/Jan/2023:06:11:06 +] '-'
400 - '-' '-' 0 -
The different is
%b - Bytes sent, excluding HTTP headers, or '-' if zero
%D - Time taken to process the request in microseconds
so I guess the attacker check if the port is opened without sending
any bytes and tomcat took 0 second to process.
Christopher,
no, X-Forwarded-For and %h values are not the same.
On Fri, Jan 6, 2023 at 6:30 AM Christopher Schultz
wrote:
>
> Mark, Jason,
>
> On 1/4/23 09:07, Mark Thomas wrote:
> > On 04/01/2023 04:09, Jason Wee wrote:
> >> Hi,
> >>
> >> Happy new year everyone.
> >>
> >> Background of my production setup. Using tomcat 10 and in linux
> >>
Re: how to block bad request?
Mark, Jason,
On 1/4/23 09:07, Mark Thomas wrote:
On 04/01/2023 04:09, Jason Wee wrote:
Hi,
Happy new year everyone.
Background of my production setup. Using tomcat 10 and in linux
environment, using the following accesslog valve
%a %{X-Forwarded-For}i %h %l %u %t '%r' %s %b '%{Referer}i'
'%{User-Agent}i' %D %S
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 -
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 -
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 -
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
I often see the above registered in accesslog and have the following
questions
1. how/where to find more information about such requests? example how
to reproduce of such request, how to enable debug to give more details
about such request, etc?
Enable debug logging for
org.apache.coyote.http11.Http11Processor
2. how to block such requests (at tomcat or at firewall or any other
way)?
Tomcat has already blocked them. The requests were invalid. Processing
stopped as soon as the request was found to be invalid. A 400 response
was returned and the connection closed. There is little else Tomcat can do.
Options for blocking earlier depend on why the requests are invalid.
That said, Tomcat appears to be behind a reverse proxy. In most (all?)
cases, I'd expect the proxy to reject the request before it gets to Tomcat.
Those requests look like they actually came from the reverse proxy
(X-Forwarded-For and %h values are the same). They look a *lot* like
"are you alive" requests that reverse proxies will often send to
back-end servers to see whether or not real traffic should be sent to
those back-end servers.
-chris
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: how to block bad request?
On 04/01/2023 04:09, Jason Wee wrote:
Hi,
Happy new year everyone.
Background of my production setup. Using tomcat 10 and in linux
environment, using the following accesslog valve
%a %{X-Forwarded-For}i %h %l %u %t '%r' %s %b '%{Referer}i'
'%{User-Agent}i' %D %S
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 -
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 -
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 -
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
I often see the above registered in accesslog and have the following questions
1. how/where to find more information about such requests? example how
to reproduce of such request, how to enable debug to give more details
about such request, etc?
Enable debug logging for
org.apache.coyote.http11.Http11Processor
2. how to block such requests (at tomcat or at firewall or any other way)?
Tomcat has already blocked them. The requests were invalid. Processing
stopped as soon as the request was found to be invalid. A 400 response
was returned and the connection closed. There is little else Tomcat can do.
Options for blocking earlier depend on why the requests are invalid.
That said, Tomcat appears to be behind a reverse proxy. In most (all?)
cases, I'd expect the proxy to reject the request before it gets to Tomcat.
3. what impact it has to tomcat (or service) if these requests come in
huge amounts and in a short time.
Minimal. Less impact than if valid requests were made since processing
stops as soon as the request is found to be invalid. You might want to
look at rate limiting abusive clients but in terms of a DoS, a valid
request will cause more harm than one of these.
Mark
Thank you and happy to hear any other comments/opinions too.
Kind regards,
Jason
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
