Opened 18 months ago

Closed 18 months ago

Last modified 18 months ago

#1560 closed defect (invalid)

Slow response on wrong request

Reported by: yarons@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.13.x
Keywords: timeout, bad request Cc:
uname -a: Linux my-site 4.9.32-15.41.amzn1.x86_64 #1 SMP Thu Jun 22 06:20:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.10.3 built by gcc 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) built with OpenSSL 1.0.1k-fips 8 Jan 2015 TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/var/run/nginx.pid --lock-path=/var/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --with-ld-opt=' -Wl,-E'

Description

We've noticed in our servers that some attackers try to add a website URL to the GET request they send to our servers (instead of path).

I managed to reduce the request from a whole https://something address to a simple a://a so the problem still happens.

Since most of the standard UI tools are incompatible with this kind of requests I had to generate a GET packet myself and send it with netcat.

The reason I know there's a problem specifically with nginx is I sent this request to both nginx and Apache website and I got two different responses.

This request returns 400 immediately:
time echo -e 'GET a://a HTTP/1.1' | nc httpd.apache.org 80

This request is waiting for 60 seconds and returns nothing:
time echo -e 'GET a://a HTTP/1.1' | nc nginx.org 80

I don't have IIS to test this on but I'm pretty sure will be seeing something similar.

(Although my version is older than the official website I've attached my nginx -V, I can confirm this on 1.13.12 as running on the main nginx website).

Change History (2)

comment:1 Changed 18 months ago by mdounin

  • Resolution set to invalid
  • Status changed from new to closed

This form of a HTTP request is known as "absolute form", see RFC 7230. While normal clients do not use this form except in requests to proxies, servers are required to handle requests in the absolute form:

   To allow for transition to the absolute-form for all requests in some
   future version of HTTP, a server MUST accept the absolute-form in
   requests, even though HTTP/1.1 clients will only send them in
   requests to proxies.

The pause you see is due to the fact that the request is not complete, and nginx waits for more input till client_header_timeout expires.

As for 400 from httpd.apache.org, it seems to be caused by reject of bare LF instead of CRLF in your requests, these are rejected by Apache configured with HttpProtocolOptions Strict.

comment:2 Changed 18 months ago by yarons@…

So if I don't need it and it can potentially create load on my server, is there a way to block this kind of requests?

Note: See TracTickets for help on using tickets.