Date: Sat, 27 Mar 2004 20:28:10 +0100 (CET) From: Cordula's Web <cpghost@cordula.ws> To: jacks@sage-american.com Cc: freebsd-questions@freebsd.org Subject: Re: Very long URL with malice intended Message-ID: <20040327192810.94D4B40811@fw.farid-hajji.net> In-Reply-To: <3.0.5.32.20040327092812.01f49a10@10.0.0.15> (jacks@sage-american.com) References: <3.0.5.32.20040327092812.01f49a10@10.0.0.15>
next in thread | previous in thread | raw e-mail | index | archive | help
> Within the past couple of weeks, the Apache logs have shown a new type of > intrusion -- a very, very long URL request -- that finally receives a error > 414. I don't know the purpose of this one, but doesn't appear > well-intended. It comes late at night and from different IPs. One request > even used one of my own IPs. So, the firewall won't help -- nor server deny. > > My question is what syntax can I add, if any, to my httpd.conf to redirect > such requests..?? > > Here's a very small (about 1-5%) snippet of the nasty URL: > > 65.35.186.74 - - [26/Mar/2004:19:01:04 -0600] "SEARCH > /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb > 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 > 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb > 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 > 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb > 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 > 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 .... and > on and on.... Are only SEARCH requests affected, or GET as well? > Any suggestions on a way to stop these much appreciated. > > Best regards, > Jack L. Stone, > Administrator > > Sage American > http://www.sage-american.com > jacks@sage-american.com -- Cordula's Web. http://www.cordula.ws/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040327192810.94D4B40811>