Difference between revisions of "WAF 390702"

From Atomicorp Wiki
Jump to: navigation, search
m (Description)
m (Example)
Line 17: Line 17:
 
== Example ==
 
== Example ==
  
 +
This is what an HTTP request looks like to the server.  This is what the client sends to the server to request a resource, to post data, etc.  The headers below are set by the client, not the server.
 +
 +
<pre>
 
GET /some/file HTTP/1.1
 
GET /some/file HTTP/1.1
'''Connection: keep-alive, keep-alive'''
+
Connection: keep-alive, keep-alive
 
Accept: */*
 
Accept: */*
 
Referer: http://www.example.com/someurl
 
Referer: http://www.example.com/someurl
Line 26: Line 29:
 
Cookie: somecookie
 
Cookie: somecookie
 
Host: http://www.example.com
 
Host: http://www.example.com
 +
</pre>
  
In the example anove, the "Connection:" header has two entries "keep-alive, keep-alive".  Per the HTTP RFC this header should only have one entry "keep-alive".  This is used by some attackers to cause DOS attacks on servers, and is also an indicator that either a broken proxy or a broken client is attempting to connect to the server, both of which may indicate the client has malicious intent.
+
In the example above, the "Connection:" header has two entries "keep-alive, keep-alive".  Per the HTTP RFC this header should only have one entry "keep-alive".  This is used by some attackers to cause DOS attacks on servers, and is also an indicator that either a broken proxy or a broken client is attempting to connect to the server, both of which may indicate the client has malicious intent.
  
 
= Troubleshooting =
 
= Troubleshooting =

Revision as of 09:51, 16 May 2013

Rule 390702
Status Active
Alert Message Atomicorp.com WAF Rules: Multiple/Conflicting Connection Header Data Found

Contents

Description

This rules detects when multiple or conflicting connection headers are found. For example:

Connection: keep-alive, keep-alive

Broken and/or malicous clients often have duplicate or conflicting headers, and many automated programs and malicious software often do not obey the HTTP RFC. This behavior is not normal or common for actual clients, and is extremely rare. If you see this rule being triggered you have either a malicious client connecting to your system, or a very broken application. In either case, we do not recommend you disable this rule as it will detect potentially unknown attacks associated with this condition.

Example

This is what an HTTP request looks like to the server. This is what the client sends to the server to request a resource, to post data, etc. The headers below are set by the client, not the server.

GET /some/file HTTP/1.1
Connection: keep-alive, keep-alive
Accept: */*
Referer: http://www.example.com/someurl
Accept-Language: en
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 
Cookie: somecookie
Host: http://www.example.com

In the example above, the "Connection:" header has two entries "keep-alive, keep-alive". Per the HTTP RFC this header should only have one entry "keep-alive". This is used by some attackers to cause DOS attacks on servers, and is also an indicator that either a broken proxy or a broken client is attempting to connect to the server, both of which may indicate the client has malicious intent.

Troubleshooting

False Positives

None.

Tuning Guidance

None. This rule detects invalid connections. If clients are connecting in this manner this is a bug on the client side, and the connection is invalid.

Additional Information

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Notes

Personal tools