On 6/27/10 9:55 PM, Willy Tarreau wrote:
> Hi Hank,
>
> On Sun, Jun 27, 2010 at 02:12:35PM -0700, Hank A. Paulson wrote:
>> I got this error hit via the haproxy socket, I noticed that there are
>> a few hits when searching for it, all related to corrupt headers with
>> lighttpd and people seem to be assuming it is lighttpd's fault but in
>> the case I received, it is clear that there are some junk characters
>> at the beginning of the request. (Perhaps lighttpd needs an option to
>> print errors with hex encoding in order to see the characters causing
>> the problems there)
>>
>> There is also this proxy blocking module for nginx that lists it when
>> searching for signs of a proxy:
>> http://www.linuxboy.net/nginx/ngx_http_proxyblock_module.c.txt
>>
>> I am wondering if this is some kind of web "fuzzer" software or if it
>> is just poorly coded proxy software or if other people have seen
>> problems with requests with a MT-Proxy-ID. (All the listings that I
>> have seen, locally and on the web, that include the MT-Proxy-ID
>> header have the same 1804289383 value.)
>>
>> Thanks for any insights.
>
> Don't you think this could simply be some discovery attack or bypass
> attempts ? The strangest part is the \x00, which, if intentionally
> left here, may be present to try to fool some HTTP parsers. Perhaps
> it targets a very specific product and was just blocked here. Anyway,
> if it's normally encountered with lighttpd, you may want to share that
> with the lighttpd guys so that they for once get a full dump of the
> abnormal request.
Sorry, I was not clear - the only substantive search results where I find "MT-Proxy-ID" have been in some lighttpd discussions. I think they are mistakenly thinking there is a problem with lighttpd, my guess is that they are not seeing the junk characters at the beginning of the request and I am wondering if the software that adds the MT-Proxy-ID header also adds the junk characters due to poor coding, bugs, malicious purpose, etc.
My one error hit has nothing to do with lighttpd. I just find it odd that the only references to "MT-Proxy-ID" are in a few headers in discussions of problem requests.
Normally with unusual headers/user-agents you will find some search results with discussions asking about them and discussions of which software or websites use those headers or user-agent strings, etc. With MT-Proxy-ID I found none of that maybe the web hits for that string have been removed by google for some reason :)
>> [04/Jun/2010:01:40:10.550] frontend abc (#1): invalid request
>> src w.x.y.z, session #25252051, backend<NONE> (#-1), server<NONE> (#-1)
>> request length 327 bytes, error at position 0:
>>
>> 00000 \x04\x02\x00POST /a/b/c/d HTTP/1.0\r\n
>> 00054 User-Agent: Mozilla/5.0 (compatible; MSIE 6.0;)\r\n
>> 00118 Host: foo.bar\r\n
>> 00137 Accept: */*\r\n
>> 00150 Content-Length: 8\r\n
>> 00169 Content-Type: application/x-www-form-urlencoded\r\n
>> 00218 MT-Proxy-ID: 1804289383\r\n
>> 00243 X-Forwarded-For: x.y.z.w\r\n
>> 00276 Connection: Keep-Alive\r\n
>> 00300 Keep-Alive: 300\r\n
>> 00317 \r\n
>> 00319 xa=23123
>
> Best regards,
> Willy
>
Received on 2010/06/28 10:24
This archive was generated by hypermail 2.2.0 : 2010/06/28 10:30 CEST