jeudi 29 janvier 2015

HTTP Host Header redirect traffic



Recently, I've seen periodic floods of traffic to my web servers with various Host headers that do not belong to us. The traffic appears to come primarily from China and a decent number seem to think we're a BitTorrent tracker. They come from a wide variety of IPs and User Agents.


Example BitTorrent tracker request (anonymized):



GET /announce?info_hash=%B8%86%E1hJ%A7%1Dm%AAvL%0F%CF%F3%F7%03%95%A8%AB%AF&peer_id=%2D5F21100%2D%04%0DA%DE%3D%D9f%A4%0Aw%A7%2A&ip=112.84.xxx.xxx&port=13777&uploaded=1150728262&downloaded=1150728262&left=2292077&numwant=200&key=937&compact=1 HTTP/1.0
Host: open.tracker.thepiratebay.org
User-Agent: Bittorrent
Accept: */*
Connection: closed
X-Forwarded-Proto: http
X-Forwarded-For: 112.84.xxx.xxx


Example TypeKit image ping request:



GET /p.gif?s=1&k=yoe7ink&ht=sh&h=get.adobe.com&f=7180.7181.7182.7184&a=204670&_=1422582942577 HTTP/1.1
Host: p.typekit.net
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: zh-cn,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://ift.tt/1A59iiy
X-Forwarded-Proto: http
X-Forwarded-For: 27.189.xxx.xxx


Note that the web servers in question are behind a load balancer (Linode NodeBalancer), so the X-Forwarded-For and X-Forwarded-Proto headers are expected; they correspond to the original requests to the load balancer.


As far as I can tell, the web server is not acting as an open proxy. The response to these requests is simply a 302 redirect:



HTTP/1.1 302 Found
Date: Fri, 30 Jan 2015 01:56:00 GMT
...
Location: http://ift.tt/1zklYz9
Status: 302
Vary: Accept-Encoding
Content-Length: 108
Connection: close
Content-Type: text/html; charset=utf-8

<html><body>You are being <a href="http://ift.tt/1zklYz9">redirected</a>.</body></html>


The switch to /guide is provided by the Rails application that normally runs on these servers. It normally redirects some types of 404 traffic to http://ift.tt/1A59iyO.


I have two questions about this:



  1. Why are we receiving this traffic? What possibly can someone gain by using our servers to generate large numbers of HTTP redirects? It doesn't seem like they are pulling off an XSS attack on the unvalidated Host header.

  2. What do I do about it? Can or should I reconfigure Apache to reject requests where the Host header doesn't match a domain we own? Is there a way to figure out who is sending this traffic our way? Should I get a new IP for the load balancer?





Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)