Hi Mark, Thank you. I enabled debugging and able to reproduce (close to matching, but not exact same output)
send null byte -------------------------------------------------------------------------------- $ echo -e '\x00' | nc myhost.com 80 HTTP/1.1 400 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 1939 Date: Mon, 09 Jan 2023 08:58:52 GMT Connection: close <!doctype html><html lang="en"><head><title>HTTP Status 400 – Bad Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 – Bad Request</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Invalid character found in method name [0x00...]. HTTP method names must be tokens</p><p><b>Description</b> The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).</p><p><b>Exception</b></p><pre>java.lang.IllegalArgumentException: Invalid character found in method name [0x00...]. HTTP method names must be tokens org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:418) org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260) org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:845) org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1563) org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) java.base/java.lang.Thread.run(Thread.java:834) </pre><p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p><hr class="line" /><h3>CustomServer</h3></body></html> the log file 09-Jan-2023 08:58:50.239 FINE [https-jsse-nio-8474-exec-3] org.apache.coyote.AbstractProcessorLight.process Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@573dbc7:org.apache.tomcat.util.net.SecureNioChannel@304f418e:java.nio.channels.SocketChannel[connected local=/142.222.222.222:8080 remote=/194.111.111.111:9385]], Status in: [OPEN_READ], State out: [OPEN] 09-Jan-2023 08:58:52.867 FINE [http-nio-8084-exec-6] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header java.lang.IllegalArgumentException: Invalid character found in method name [0x00...]. HTTP method names must be tokens at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:418) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:845) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1563) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:834) 09-Jan-2023 08:58:52.867 FINE [http-nio-8084-exec-6] org.apache.coyote.http11.Http11Processor.badRequest The HTTP/1.1 request did not provide a host header 09-Jan-2023 08:58:52.868 FINE [http-nio-8084-exec-6] org.apache.coyote.AbstractProcessorLight.process Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@19369f2d:org.apache.tomcat.util.net.NioChannel@34663eed:java.nio.channels.SocketChannel[connected local=/142.222.222.222:8080 remote=/210.111.111.111:53328]], Status in: [OPEN_READ], State out: [CLOSED] ==> .access_log.2023-01-09.txt <== 210.111.111.111 - 210.111.111.111 - - [09/Jan/2023:08:58:52 +0000] '-' 400 1939 '-' '-' 686 - -------------------------------------------------------------------------------- in production 206.189.134.129 - 206.189.134.129 - - [09/Jan/2023:06:11:06 +0000] '-' 400 - '-' '-' 0 - The different is %b - Bytes sent, excluding HTTP headers, or '-' if zero %D - Time taken to process the request in microseconds so I guess the attacker check if the port is opened without sending any bytes and tomcat took 0 second to process. Christopher, no, X-Forwarded-For and %h values are not the same. On Fri, Jan 6, 2023 at 6:30 AM Christopher Schultz <ch...@christopherschultz.net> wrote: > > Mark, Jason, > > On 1/4/23 09:07, Mark Thomas wrote: > > On 04/01/2023 04:09, Jason Wee wrote: > >> Hi, > >> > >> Happy new year everyone. > >> > >> Background of my production setup. Using tomcat 10 and in linux > >> environment, using the following accesslog valve > >> > >> %a %{X-Forwarded-For}i %h %l %u %t '%r' %s %b '%{Referer}i' > >> '%{User-Agent}i' %D %S > >> > >> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - > >> [20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 - > >> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - > >> [20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 - > >> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - > >> [20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 - > >> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - > >> [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 - > >> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - > >> [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 - > >> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - > >> [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 - > >> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - > >> [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 - > >> > >> I often see the above registered in accesslog and have the following > >> questions > >> > >> 1. how/where to find more information about such requests? example how > >> to reproduce of such request, how to enable debug to give more details > >> about such request, etc? > > > > Enable debug logging for > > org.apache.coyote.http11.Http11Processor > > > >> 2. how to block such requests (at tomcat or at firewall or any other > >> way)? > > > > Tomcat has already blocked them. The requests were invalid. Processing > > stopped as soon as the request was found to be invalid. A 400 response > > was returned and the connection closed. There is little else Tomcat can do. > > > > Options for blocking earlier depend on why the requests are invalid. > > That said, Tomcat appears to be behind a reverse proxy. In most (all?) > > cases, I'd expect the proxy to reject the request before it gets to Tomcat. > > Those requests look like they actually came from the reverse proxy > (X-Forwarded-For and %h values are the same). They look a *lot* like > "are you alive" requests that reverse proxies will often send to > back-end servers to see whether or not real traffic should be sent to > those back-end servers. > > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org