Very long URL with malice intended

Cordula's Web cpghost at cordula.ws
Sat Mar 27 11:28:48 PST 2004


> Within the past couple of weeks, the Apache logs have shown a new type of
> intrusion -- a very, very long URL request -- that finally receives a error
> 414. I don't know the purpose of this one, but doesn't appear
> well-intended. It comes late at night and from different IPs. One request
> even used one of my own IPs. So, the firewall won't help -- nor server deny.
> 
> My question is what syntax can I add, if any, to my httpd.conf to redirect
> such requests..??
> 
> Here's a very small (about 1-5%) snippet of the nasty URL:
> 
> 65.35.186.74 - - [26/Mar/2004:19:01:04 -0600] "SEARCH
> /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
> 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
> 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
> 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 .... and
> on and on....

Are only SEARCH requests affected, or GET as well?

> Any suggestions on a way to stop these much appreciated.
> 
> Best regards,
> Jack L. Stone,
> Administrator
> 
> Sage American
> http://www.sage-american.com
> jacks at sage-american.com

-- 
Cordula's Web. http://www.cordula.ws/



More information about the freebsd-questions mailing list