Re: how to block bad request?

Mon, 09 Jan 2023 01:46:13 -0800 

Hi Mark,

Thank you. I enabled debugging and able to reproduce (close to
matching, but not exact same output)

send null byte


--------------------------------------------------------------------------------

$ echo -e '\x00' | nc myhost.com 80
HTTP/1.1 400
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 1939
Date: Mon, 09 Jan 2023 08:58:52 GMT
Connection: close

<!doctype html><html lang="en"><head><title>HTTP Status 400 – Bad
Request</title><style type="text/css">body
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
{color:black;} .line
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
Status 400 – Bad Request</h1><hr class="line" /><p><b>Type</b>
Exception Report</p><p><b>Message</b> Invalid character found in
method name [0x00...]. HTTP method names must be
tokens</p><p><b>Description</b> The server cannot or will not process
the request due to something that is perceived to be a client error
(e.g., malformed request syntax, invalid request message framing, or
deceptive request
routing).</p><p><b>Exception</b></p><pre>java.lang.IllegalArgumentException:
Invalid character found in method name [0x00...]. HTTP method names
must be tokens
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:418)
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260)
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:845)
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1563)
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
java.base&#47;java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
java.base&#47;java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
java.base&#47;java.lang.Thread.run(Thread.java:834)
</pre><p><b>Note</b> The full stack trace of the root cause is
available in the server logs.</p><hr class="line"
/><h3>CustomServer</h3></body></html>


the log file


09-Jan-2023 08:58:50.239 FINE [https-jsse-nio-8474-exec-3]
org.apache.coyote.AbstractProcessorLight.process Socket:
[org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@573dbc7:org.apache.tomcat.util.net.SecureNioChannel@304f418e:java.nio.channels.SocketChannel[connected
local=/142.222.222.222:8080 remote=/194.111.111.111:9385]], Status in:
[OPEN_READ], State out: [OPEN]
09-Jan-2023 08:58:52.867 FINE [http-nio-8084-exec-6]
org.apache.coyote.http11.Http11Processor.service Error parsing HTTP
request header
java.lang.IllegalArgumentException: Invalid character found in method
name [0x00...]. HTTP method names must be tokens
at 
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:418)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260)
at 
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at 
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:845)
at 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1563)
at 
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at 
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at 
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)
09-Jan-2023 08:58:52.867 FINE [http-nio-8084-exec-6]
org.apache.coyote.http11.Http11Processor.badRequest The HTTP/1.1
request did not provide a host header
09-Jan-2023 08:58:52.868 FINE [http-nio-8084-exec-6]
org.apache.coyote.AbstractProcessorLight.process Socket:
[org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@19369f2d:org.apache.tomcat.util.net.NioChannel@34663eed:java.nio.channels.SocketChannel[connected
local=/142.222.222.222:8080 remote=/210.111.111.111:53328]], Status
in: [OPEN_READ], State out: [CLOSED]



==> .access_log.2023-01-09.txt <==
210.111.111.111 - 210.111.111.111 - - [09/Jan/2023:08:58:52 +0000] '-'
400 1939 '-' '-' 686 -

--------------------------------------------------------------------------------

in production

206.189.134.129 - 206.189.134.129 - - [09/Jan/2023:06:11:06 +0000] '-'
400 - '-' '-' 0 -



The different is

%b - Bytes sent, excluding HTTP headers, or '-' if zero
%D - Time taken to process the request in microseconds


so I guess the attacker check if the port is opened without sending
any bytes and tomcat took 0 second to process.


Christopher,

no, X-Forwarded-For and %h values are not the same.

On Fri, Jan 6, 2023 at 6:30 AM Christopher Schultz
<ch...@christopherschultz.net> wrote:
>
> Mark, Jason,
>
> On 1/4/23 09:07, Mark Thomas wrote:
> > On 04/01/2023 04:09, Jason Wee wrote:
> >> Hi,
> >>
> >> Happy new year everyone.
> >>
> >> Background of my production setup. Using tomcat 10 and in linux
> >> environment, using the following accesslog valve
> >>
> >> %a %{X-Forwarded-For}i %h %l %u %t '%r' %s %b '%{Referer}i'
> >> '%{User-Agent}i' %D %S
> >>
> >> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
> >> [20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 -
> >> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
> >> [20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 -
> >> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
> >> [20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 -
> >> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
> >> [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
> >> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
> >> [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
> >> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
> >> [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
> >> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
> >> [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
> >>
> >> I often see the above registered in accesslog and have the following
> >> questions
> >>
> >> 1. how/where to find more information about such requests? example how
> >> to reproduce of such request, how to enable debug to give more details
> >> about such request, etc?
> >
> > Enable debug logging for
> > org.apache.coyote.http11.Http11Processor
> >
> >> 2. how to block such requests (at tomcat or at firewall or any other
> >> way)?
> >
> > Tomcat has already blocked them. The requests were invalid. Processing
> > stopped as soon as the request was found to be invalid. A 400 response
> > was returned and the connection closed. There is little else Tomcat can do.
> >
> > Options for blocking earlier depend on why the requests are invalid.
> > That said, Tomcat appears to be behind a reverse proxy. In most (all?)
> > cases, I'd expect the proxy to reject the request before it gets to Tomcat.
>
> Those requests look like they actually came from the reverse proxy
> (X-Forwarded-For and %h values are the same). They look a *lot* like
> "are you alive" requests that reverse proxies will often send to
> back-end servers to see whether or not real traffic should be sent to
> those back-end servers.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to