Important security research from the RWTH Aachen University

I regularly spend time investigating my server logs and occasionally come across a few special snowflakes. My onion (Tor) server hosted with a popular cloud provider was recently visited by a research scanner. The scanner initially greeted the server with a few standard GET requests:

137.226.113.7 - - [12/May/2017:12:32:16 +0200] "GET / HTTP/1.1" 403 209 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36 Scanning for research (researchscan.comsys.rwth-aachen.de)" 252 402

As you can see from the 403 response code above the request was immediately rejected. Not discouraged though, the scanner simultaneously sent a batch of requests containing a “really long request URL”:

137.226.113.7 - - [12/May/2017:12:32:16 +0200] "GET /YesThisIsAReallyLongRequestURLbutWeAreDoingItOnPurposeWeAreScanningForResearchPurposePleaseHaveALookAtTheUserAgentTHXYesThisIsAReallyLongRequestURLbutWeAreDoingItOnPurposeWeAreScanningForResearchPurposePleaseHaveALookAtTheUserAgentTHXYesThisIsAReallyLongRequestURLbutWeAreDoingItOnPurposeWeAreScanningForResearchPurposePleaseHaveALookAtTheUserAgentTHXYesThisIsAReallyLongRequestURLbutWeAreDoingItOnPurposeWeAreScanningForResearchPurposePleaseHaveALookAtTheUserAgentTHXYesThisIsAReallyLongRequestURLbutWeAreDoingItOnPurposeWeAreScanningForResearchPurposePleaseHaveALookAtTheUserAgentTHXYesThisIsAReallyLongRequestURLbutWeAreDoingItOnPurposeWeAreScanningForResearchPurposePleaseHaveALookAtTheUserAgentTHXYesThisIsAReallyLongRequestURLbutWeAreDoingItOnPurposeWeAreScanningForResearchPurposePleaseHaveALookAtTheUserAgentTHXYesThisIsAReallyLongRequestURLbutWeAreDoingItOnPurposeWeAreScanningForResearchPurposePleaseHaveALookAtTheUserAgentTHXYesThisIsAReallyLongRequestURLbutWeAreDoingItOnPurposeWeAreScann HTTP/1.1" 403 1209 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36 Scanning for research (researchscan.comsys.rwth-aachen.de)" 1252 1403

Constructing a HTTP request containing more data than the web server can handle is a technique used for buffer overflow attacks. Additionally, It could also be used for denial-of-service (DoS) attacks. Anyhow, I believe most modern web servers won’t be vulnerable unless they suffer from a less than sane configuration. In my case the requests were simply dropped by the web application firewall due to a missing Accept Header.

I won’t block the university from scanning my onion server in the future, but maybe I’ll give them a little something in return the next time they come knocking. All in the friendly spirit of science and research naturally.

Roger Comply avatar
Roger Comply
Thank you for reading!
Feel free to waste more time by subscribing to my RSS feed.