#1560 closed defect (invalid)
Slow response on wrong request
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-core | Version: | 1.13.x |
| Keywords: | timeout, bad request | Cc: | |
| uname -a: | Linux my-site 4.9.32-15.41.amzn1.x86_64 #1 SMP Thu Jun 22 06:20:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.10.3
built by gcc 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) built with OpenSSL 1.0.1k-fips 8 Jan 2015 TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/var/run/nginx.pid --lock-path=/var/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --with-ld-opt=' -Wl,-E' |
||
Description
We've noticed in our servers that some attackers try to add a website URL to the GET request they send to our servers (instead of path).
I managed to reduce the request from a whole https://something address to a simple a://a so the problem still happens.
Since most of the standard UI tools are incompatible with this kind of requests I had to generate a GET packet myself and send it with netcat.
The reason I know there's a problem specifically with nginx is I sent this request to both nginx and Apache website and I got two different responses.
This request returns 400 immediately:
time echo -e 'GET a://a HTTP/1.1' | nc httpd.apache.org 80
This request is waiting for 60 seconds and returns nothing:
time echo -e 'GET a://a HTTP/1.1' | nc nginx.org 80
I don't have IIS to test this on but I'm pretty sure will be seeing something similar.
(Although my version is older than the official website I've attached my nginx -V, I can confirm this on 1.13.12 as running on the main nginx website).
Change History (2)
comment:1 by , 6 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:2 by , 6 years ago
So if I don't need it and it can potentially create load on my server, is there a way to block this kind of requests?
This form of a HTTP request is known as "absolute form", see RFC 7230. While normal clients do not use this form except in requests to proxies, servers are required to handle requests in the absolute form:
The pause you see is due to the fact that the request is not complete, and nginx waits for more input till client_header_timeout expires.
As for 400 from httpd.apache.org, it seems to be caused by reject of bare LF instead of CRLF in your requests, these are rejected by Apache configured with HttpProtocolOptions Strict.