Thread / Attack

Hi, possibly not exact the right forum, but the server is running a CUBA Appl only.
Clearly an attack, but how severe is this an how to react.
Excerpt from the tomcat log.
(I havent not realy the know how to deal with such things)

21-Jan-2024 23:38:41.083 INFO [https-openssl-nio-8443-exec-6] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header
Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in the request target [/XmlPeek.aspx?dt=\…\…\…\…\…\…\Windows\win.ini&x=/validate.ashx?requri]. The valid characters are defined in RFC 7230 and RFC 3986
at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:486)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:261)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Unknown Source)
22-Jan-2024 01:43:57.118 INFO [https-openssl-nio-8443-exec-5] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header
Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in the request target [/images/…%2fcgi/cgi_i_filter.js?_tn={{trimprefix(base64_decode(httoken),]. The valid characters are defined in RFC 7230 and RFC 3986
at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:486)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:261)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Unknown Source)
23-Jan-2024 13:37:41.767 INFO [https-openssl-nio-8443-exec-24] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header
Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in the HTTP protocol [RTSP/1.00x0d0x0a0x0d…]
at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:555)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:261)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Unknown Source)
23-Jan-2024 13:37:43.017 INFO [https-openssl-nio-8443-exec-30] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header
Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in the request target [/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/]. The valid characters are defined in RFC 7230 and RFC 3986
at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:494)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:261)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Unknown Source)

Thanks a lot for help!

Hello,
we would need to know more details about your application, setup, network and use case.
As it is I can only give some general guidelines:

• if your app does not need to be generally accessible form all the internet, block the access to it by software or hardware firewall to limit it to e.g. local network
• if you don’t know the IPs of your clients and its on the internet, consider putting nginx server as proxy - it will proxy the http requests to your tomcat and thus filter a lot
• cloudflare has zero trust product for free until a certain point I think, you can DNS your app with that and install a reverse tunnel
• hint: amazon aws

Kind regards,
Mladen

Hello,
first of all, I think it’s important to have a quick solution. The users are well known, even if they are scattered across the internet.
However, I think it’s the best thing at the moment to solve it by blocking all but the user IP address.
Not ideal and comes along with an administrative effort.
Thanks Mladen, may be I come back on this later on.

Hi,

org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header
Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.

The log messages that you see mean that someone is blindly sending malformed HTTP requests that target some known vulnerabilities in commonly used servers / frameworks, such as PHP, ASP or others.
Tomcat refuses to process such requests and logs a message.

As long as you use modern application server, you are safe.
Note that such “attack” requests are fully automatic, not targeted to your particular system, and most probably are sent from a distributed bot network. So the situation isn’t like someone is attacking particularly your client.

General advises can be:

• Limit the pool of IP addresses where the system is accessible from, using the firewall, if it is possible (principle of the least permissions)
• Keep server software up-to-date: OS updates, Tomcat server (latests bugfix version).
• Monitor your system for common performance attributes such as CPU usages, number of open files, etc. Thus you will quickly notice unusual system behavior in case of the breach (e.g. bitcoin miner).
• Don’t worry too much for usual security-related messages in the logs. Any publicly accessible server is being constantly scanned by automatic bots for simple commonly known vulnerabilities. C’est la vie.

Thx, Alex for your additional explanation.
What worries me is that the instructions used (values, *.js, etc.) seem more and more precise or specific to me, see below “com.vaadin.shared.ui.tabsheet.TabsheetServerRpc”, which is part of the framework, in some kind of BOF Attack (I shortened it up, because exeeds limit here of 32k)

Blockquote
23-Jan-2024 16:51:05.049 INFO [https-openssl-nio-8443-exec-28] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header
Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in method name [alueWithDelay",[“05.12.2023”,{“YEAR”:2023,“MONTH”:12,“DAY”:5}]],[“68”,“com.vaadin.shared.ui.tabsheet.TabsheetServerRpc”,“setSelected”,[“15”]]],“syncId”:179,“clientId”:179}ns",[“b”,true]]],[“3259”,“v”,“v”,[“selected”,[“S”,[“3”]]]]],“syncId”:153,“clientId”:153}stractDateFieldServerRpc",“updateValueWithDelay”,[“..____”,[]]],[“391”,“com.vaadin.shared.ui.datefield.AbstractDateFieldServerRpc”,“updateValueWithDelay”,[“21.11.2023”,{“YEAR”:2023,“MONTH”:11,“DAY”:21}]],[“400”,“com.vaadin.shared.ui.datefield.AbstractDateFieldServerRpc”,“updateValueWithDelay”,[“21.09.2023”,{“YEAR”:2023,“MONTH”:9,“DAY”:21}]]],“syncId”:31,“clientId”:31},[“32”]]],“syncId”:247,“clientId”:246}rverRpc",“closeTab”,[“31”]]],“syncId”:238,“clientId”:237}0x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x00…000x000x00…]. HTTP method names must be tokens
at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:413)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:261)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Unknown Source)

This log snippets looks more like a bug for me (somewhere in the chain between browser and application server).
Because the HTTP request is invalid here and there is no chance it could be executed. It just doesn’t look like an attempt of an exploit.