You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jason Wee <pe...@gmail.com> on 2023/01/04 04:09:49 UTC
how to block bad request?
Hi,
Happy new year everyone.
Background of my production setup. Using tomcat 10 and in linux
environment, using the following accesslog valve
%a %{X-Forwarded-For}i %h %l %u %t '%r' %s %b '%{Referer}i'
'%{User-Agent}i' %D %S
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 -
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 -
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 -
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
I often see the above registered in accesslog and have the following questions
1. how/where to find more information about such requests? example how
to reproduce of such request, how to enable debug to give more details
about such request, etc?
2. how to block such requests (at tomcat or at firewall or any other way)?
3. what impact it has to tomcat (or service) if these requests come in
huge amounts and in a short time.
Thank you and happy to hear any other comments/opinions too.
Kind regards,
Jason
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: how to block bad request?
Posted by Jason Wee <pe...@gmail.com>.
Hi Mark,
Thank you. I enabled debugging and able to reproduce (close to
matching, but not exact same output)
send null byte
--------------------------------------------------------------------------------
$ echo -e '\x00' | nc myhost.com 80
HTTP/1.1 400
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 1939
Date: Mon, 09 Jan 2023 08:58:52 GMT
Connection: close
<!doctype html><html lang="en"><head><title>HTTP Status 400 – Bad
Request</title><style type="text/css">body
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
{color:black;} .line
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
Status 400 – Bad Request</h1><hr class="line" /><p><b>Type</b>
Exception Report</p><p><b>Message</b> Invalid character found in
method name [0x00...]. HTTP method names must be
tokens</p><p><b>Description</b> The server cannot or will not process
the request due to something that is perceived to be a client error
(e.g., malformed request syntax, invalid request message framing, or
deceptive request
routing).</p><p><b>Exception</b></p><pre>java.lang.IllegalArgumentException:
Invalid character found in method name [0x00...]. HTTP method names
must be tokens
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:418)
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260)
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:845)
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1563)
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
java.base/java.lang.Thread.run(Thread.java:834)
</pre><p><b>Note</b> The full stack trace of the root cause is
available in the server logs.</p><hr class="line"
/><h3>CustomServer</h3></body></html>
the log file
09-Jan-2023 08:58:50.239 FINE [https-jsse-nio-8474-exec-3]
org.apache.coyote.AbstractProcessorLight.process Socket:
[org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@573dbc7:org.apache.tomcat.util.net.SecureNioChannel@304f418e:java.nio.channels.SocketChannel[connected
local=/142.222.222.222:8080 remote=/194.111.111.111:9385]], Status in:
[OPEN_READ], State out: [OPEN]
09-Jan-2023 08:58:52.867 FINE [http-nio-8084-exec-6]
org.apache.coyote.http11.Http11Processor.service Error parsing HTTP
request header
java.lang.IllegalArgumentException: Invalid character found in method
name [0x00...]. HTTP method names must be tokens
at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:418)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:845)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1563)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)
09-Jan-2023 08:58:52.867 FINE [http-nio-8084-exec-6]
org.apache.coyote.http11.Http11Processor.badRequest The HTTP/1.1
request did not provide a host header
09-Jan-2023 08:58:52.868 FINE [http-nio-8084-exec-6]
org.apache.coyote.AbstractProcessorLight.process Socket:
[org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@19369f2d:org.apache.tomcat.util.net.NioChannel@34663eed:java.nio.channels.SocketChannel[connected
local=/142.222.222.222:8080 remote=/210.111.111.111:53328]], Status
in: [OPEN_READ], State out: [CLOSED]
==> .access_log.2023-01-09.txt <==
210.111.111.111 - 210.111.111.111 - - [09/Jan/2023:08:58:52 +0000] '-'
400 1939 '-' '-' 686 -
--------------------------------------------------------------------------------
in production
206.189.134.129 - 206.189.134.129 - - [09/Jan/2023:06:11:06 +0000] '-'
400 - '-' '-' 0 -
The different is
%b - Bytes sent, excluding HTTP headers, or '-' if zero
%D - Time taken to process the request in microseconds
so I guess the attacker check if the port is opened without sending
any bytes and tomcat took 0 second to process.
Christopher,
no, X-Forwarded-For and %h values are not the same.
On Fri, Jan 6, 2023 at 6:30 AM Christopher Schultz
<ch...@christopherschultz.net> wrote:
>
> Mark, Jason,
>
> On 1/4/23 09:07, Mark Thomas wrote:
> > On 04/01/2023 04:09, Jason Wee wrote:
> >> Hi,
> >>
> >> Happy new year everyone.
> >>
> >> Background of my production setup. Using tomcat 10 and in linux
> >> environment, using the following accesslog valve
> >>
> >> %a %{X-Forwarded-For}i %h %l %u %t '%r' %s %b '%{Referer}i'
> >> '%{User-Agent}i' %D %S
> >>
> >> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
> >> [20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 -
> >> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
> >> [20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 -
> >> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
> >> [20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 -
> >> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
> >> [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
> >> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
> >> [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
> >> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
> >> [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
> >> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
> >> [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
> >>
> >> I often see the above registered in accesslog and have the following
> >> questions
> >>
> >> 1. how/where to find more information about such requests? example how
> >> to reproduce of such request, how to enable debug to give more details
> >> about such request, etc?
> >
> > Enable debug logging for
> > org.apache.coyote.http11.Http11Processor
> >
> >> 2. how to block such requests (at tomcat or at firewall or any other
> >> way)?
> >
> > Tomcat has already blocked them. The requests were invalid. Processing
> > stopped as soon as the request was found to be invalid. A 400 response
> > was returned and the connection closed. There is little else Tomcat can do.
> >
> > Options for blocking earlier depend on why the requests are invalid.
> > That said, Tomcat appears to be behind a reverse proxy. In most (all?)
> > cases, I'd expect the proxy to reject the request before it gets to Tomcat.
>
> Those requests look like they actually came from the reverse proxy
> (X-Forwarded-For and %h values are the same). They look a *lot* like
> "are you alive" requests that reverse proxies will often send to
> back-end servers to see whether or not real traffic should be sent to
> those back-end servers.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: how to block bad request?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark, Jason,
On 1/4/23 09:07, Mark Thomas wrote:
> On 04/01/2023 04:09, Jason Wee wrote:
>> Hi,
>>
>> Happy new year everyone.
>>
>> Background of my production setup. Using tomcat 10 and in linux
>> environment, using the following accesslog valve
>>
>> %a %{X-Forwarded-For}i %h %l %u %t '%r' %s %b '%{Referer}i'
>> '%{User-Agent}i' %D %S
>>
>> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
>> [20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 -
>> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
>> [20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 -
>> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
>> [20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 -
>> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
>> [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
>> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
>> [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
>> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
>> [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
>> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
>> [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
>>
>> I often see the above registered in accesslog and have the following
>> questions
>>
>> 1. how/where to find more information about such requests? example how
>> to reproduce of such request, how to enable debug to give more details
>> about such request, etc?
>
> Enable debug logging for
> org.apache.coyote.http11.Http11Processor
>
>> 2. how to block such requests (at tomcat or at firewall or any other
>> way)?
>
> Tomcat has already blocked them. The requests were invalid. Processing
> stopped as soon as the request was found to be invalid. A 400 response
> was returned and the connection closed. There is little else Tomcat can do.
>
> Options for blocking earlier depend on why the requests are invalid.
> That said, Tomcat appears to be behind a reverse proxy. In most (all?)
> cases, I'd expect the proxy to reject the request before it gets to Tomcat.
Those requests look like they actually came from the reverse proxy
(X-Forwarded-For and %h values are the same). They look a *lot* like
"are you alive" requests that reverse proxies will often send to
back-end servers to see whether or not real traffic should be sent to
those back-end servers.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: how to block bad request?
Posted by Mark Thomas <ma...@apache.org>.
On 04/01/2023 04:09, Jason Wee wrote:
> Hi,
>
> Happy new year everyone.
>
> Background of my production setup. Using tomcat 10 and in linux
> environment, using the following accesslog valve
>
> %a %{X-Forwarded-For}i %h %l %u %t '%r' %s %b '%{Referer}i'
> '%{User-Agent}i' %D %S
>
> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
> [20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 -
> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
> [20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 -
> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
> [20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 -
> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
> [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
> [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
> [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
> api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
> [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
>
> I often see the above registered in accesslog and have the following questions
>
> 1. how/where to find more information about such requests? example how
> to reproduce of such request, how to enable debug to give more details
> about such request, etc?
Enable debug logging for
org.apache.coyote.http11.Http11Processor
> 2. how to block such requests (at tomcat or at firewall or any other way)?
Tomcat has already blocked them. The requests were invalid. Processing
stopped as soon as the request was found to be invalid. A 400 response
was returned and the connection closed. There is little else Tomcat can do.
Options for blocking earlier depend on why the requests are invalid.
That said, Tomcat appears to be behind a reverse proxy. In most (all?)
cases, I'd expect the proxy to reject the request before it gets to Tomcat.
> 3. what impact it has to tomcat (or service) if these requests come in
> huge amounts and in a short time.
Minimal. Less impact than if valid requests were made since processing
stops as soon as the request is found to be invalid. You might want to
look at rate limiting abusive clients but in terms of a DoS, a valid
request will cause more harm than one of these.
Mark
>
> Thank you and happy to hear any other comments/opinions too.
>
> Kind regards,
> Jason
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org