Just looking for guide to understand query strings

My logs have been inundated with hits at example.com/?anything, though
in
the actual logs ‘anything’ is a very long string of characters.

Log entry:

“GET /?anything HTTP/1.1” 200 581 “-” “Mozilla/5.0 (Windows NT 6.1;
WOW64;
Trident/7.0; rv:11.0) like Gecko”

(note there is no location for ‘anything’)

I didn’t even know this was possible. I’m still not sure what nginx is
doing when it processes this request. If someone could help me out, even
just point me to a good explanation of what is happening, that would be
great.

The question mark separates the locations with the arguments, thus the
location itself is merely ‘/’.

If you do not have a location set explicitely for ‘/’, you probably have
a
default location block (‘location /’) which will serve all unmatched
locations, thus resulting in 200.

Maybe the intent of this spam is to try to trigger vulnerabilities or
default credentials on the index page in backend applications (ie CMS).
This is pure speculation.

If the spam really takes resources or annoy you very much, you might be
willing to either:

  • filter out those request (blacklist approach), being careful that
    those
    could not be legitimate (as you would reduce availability, which is
    against
    very basic principles of security)
  • only accept requests with specific format (white-list approach), being
    careful that it might be a maintenance nightmare each and everytime you
    wanna make new format of requests
  • investigate the source of this spam and see if it might not be
    possible
    to filter them out at a lower level (such as a firewall)
  • introduce requests rate limiting to still allow every request but
    lower
    their frequency and thus saving resources by sending back a built-in
    HTTP
    error code rather than content when clients exceed rate limits

Those are just wild ideas coming in a snap.
Pick your choice or think about better ones… ;o)

B. R.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs