From owner-freebsd-questions@FreeBSD.ORG  Sat Mar 27 11:28:48 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A279316A4CE
	for <freebsd-questions@freebsd.org>;
	Sat, 27 Mar 2004 11:28:48 -0800 (PST)
Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 02DE943D41
	for <freebsd-questions@freebsd.org>;
	Sat, 27 Mar 2004 11:28:47 -0800 (PST)
	(envelope-from cpghost@cordula.ws)
Received: from fw.farid-hajji.net (localhost [127.0.0.1])
	by fw.farid-hajji.net (Postfix) with ESMTP id 94D4B40811;
	Sat, 27 Mar 2004 20:28:10 +0100 (CET)
From: Cordula's Web <cpghost@cordula.ws>
To: jacks@sage-american.com
In-reply-to: <3.0.5.32.20040327092812.01f49a10@10.0.0.15>
	(jacks@sage-american.com)
X-Mailer: Emacs-21.3.1/FreeBSD-4.9-STABLE
References: <3.0.5.32.20040327092812.01f49a10@10.0.0.15>
Message-Id: <20040327192810.94D4B40811@fw.farid-hajji.net>
Date: Sat, 27 Mar 2004 20:28:10 +0100 (CET)
cc: freebsd-questions@freebsd.org
Subject: Re: Very long URL with malice intended
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: cpghost@cordula.ws
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Mar 2004 19:28:48 -0000

> Within the past couple of weeks, the Apache logs have shown a new type of
> intrusion -- a very, very long URL request -- that finally receives a error
> 414. I don't know the purpose of this one, but doesn't appear
> well-intended. It comes late at night and from different IPs. One request
> even used one of my own IPs. So, the firewall won't help -- nor server deny.
> 
> My question is what syntax can I add, if any, to my httpd.conf to redirect
> such requests..??
> 
> Here's a very small (about 1-5%) snippet of the nasty URL:
> 
> 65.35.186.74 - - [26/Mar/2004:19:01:04 -0600] "SEARCH
> /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
> 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
> 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
> 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 .... and
> on and on....

Are only SEARCH requests affected, or GET as well?

> Any suggestions on a way to stop these much appreciated.
> 
> Best regards,
> Jack L. Stone,
> Administrator
> 
> Sage American
> http://www.sage-american.com
> jacks@sage-american.com

-- 
Cordula's Web. http://www.cordula.ws/