Re: strange HTTP requests

bugtraq_at_cgisecurity.net
Date: 08/26/03

Next message: Valdis.Kletnieks_at_vt.edu: "Re: strange web traffic"

Previous message: bugtraq_at_cgisecurity.net: "Re: strange web traffic"
In reply to: Bill Carlson: "strange HTTP requests"
Next in thread: Bill Carlson: "Re: strange HTTP requests"
Reply: Bill Carlson: "Re: strange HTTP requests"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: wcarlson@vh.org (Bill Carlson)
Date: Tue, 26 Aug 2003 12:02:50 -0400 (EDT)

This is a perfectly valid http request. Opening up a raw connection to "vh.org" I see the following.

Request
GET / HTTP/1.0
Host: vh.org

Response
HTTP/1.1 301 Moved Permanently
Date: Tue, 26 Aug 2003 15:47:59 GMT
Server: Apache
Location: http://www.vh.org/
Connection: close
Content-Type: text/html; charset=iso-8859-1

As you can see sending the raw request above to vh.org will cause a redirect as indicated by the "Location" header
. By sending the following request below to "www.vh.org"
a redirect will not be performed.

Request
GET / HTTP/1.0
Host: www.vh.org

Response
HTTP/1.1 200 OK
Date: Tue, 26 Aug 2003 15:49:49 GMT
Server: Apache
Last-Modified: Tue, 26 Aug 2003 00:12:07 GMT
ETag: "3afa-32ee-3f4aa5d7"
Accept-Ranges: bytes

One of the following is happening

1. Your visitors are going to http://vh.org and being redirected to www.vh.org (Probably the case)
2. Your user is entering in www.vh.org but the users browser is incorrectly sendin "vh.org" in the host header (Unlikely, and if so less then
5 percent of total traffic)

I suspect #1 confidently. This would be something in your site configuration and not an attack, at least not with the information
you provided below. I would read RFC 2616 for more information on HTTP 1.1 and how it works.

Regards,

- admin@cgisecurity.com

>
> Hey all,
>
> I've been seeing a lot of server requests for the last several months,
> they look like this:
>
> GET / HTTP/1.1
> Host: vh.org
> Cache-Control: no-cache
>
>
> That's it. The particular config on our servers return a 301 (perm
> redirect), which is why I noticed these requests, half our traffic
> being 301s spells trouble.
>
> The traffic doesn't appear to be spoofed from what I've gathered so far
> after talking to a couple of sites.
>
> The traffic pattern goes like this:
>
> Remote Local
> ------------------
> SYN
> SYN-ACK
> ACK
> Request
> ACK
> 301 Reply
> RST
> RST
> RST
> -----------------
>
> For most IPs, this repeats every 5 minutes or so, out of a pool of 6000
> addresses or so.
>
>
> Anyone seen anything similiar or have an idea what's behind the traffic?
>
>
> Thanks,
>
> Bill Carlson
> --
> Systems Administrator wcarlson@vh.org | Anything is possible,
> Virtual Hospital http://www.vh.org/ | given time and money.
> University of Iowa Hospitals and Clinics |
> Opinions are mine, not my employer's. |
>
>
>
>
> ---------------------------------------------------------------------------
> Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
> October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
> technical IT security event. Modeled after the famous Black Hat event in
> Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
> Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
> ----------------------------------------------------------------------------
>

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

Next message: Valdis.Kletnieks_at_vt.edu: "Re: strange web traffic"

Previous message: bugtraq_at_cgisecurity.net: "Re: strange web traffic"
In reply to: Bill Carlson: "strange HTTP requests"
Next in thread: Bill Carlson: "Re: strange HTTP requests"
Reply: Bill Carlson: "Re: strange HTTP requests"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Log corruption on multiple webservers, log analyzers,...
... Related RFC´s about Internet Host Names convention: ... To succesfully attack a server with “ILLC” technique is mandatory that web ... a machine with a host name as "123.123.123.123" makes a request ... wouldn't appear in the access log file. ...
(Bugtraq)
Re: Book on Pre-MATH for cryptography and cryptanalysis.
... There, go request a reform! ... I am reportedly ill, so I host you. ...
(sci.crypt)
Re: HttpWebRequest and Host header (ANSWERED)
... However there is a subtle difference in the request ... headers sent with this method, and what the actual request should be ... Host: www.company.com ...
(microsoft.public.dotnet.framework)
Re: DHCP client - Help configuring.
... The DHCP server did not pass a host name for this host to use. ... error processing name service request ...
(comp.os.vms)
Re: cgi bin counter
... the request did not have a Referer with it so the host would not want ... so the host must have sent ... an Etag with that 0 which is now being used to refresh the old page. ... >>>other types of cgi bin components but not counter! ...
(microsoft.public.windows.inetexplorer.ie6.browser)