Forum: NGINX Filtering out long (invalid) hostnames

C413a7196a364e5243c57ae58f5b7dc7?d=identicon&s=25 Ondrej Jombik (Guest)
on 2013-11-09 21:45
(Received via mailing list)
Recently we have seen some kind of hacker attempt on our hosting
servers, passing very long hostnames in the HTTP Host: header. That
means length(hostname) was higher than 2000, for few requests even more
than 10000.

This was processed well by nginx, passed further to our upstreams, what
caused only little trouble there: logs were filled with a lot of
garbage.

After bit of investigation, I have found that according to RFC, the
longest domain name should not be more than 253 characters. Also,
splitting domain into labels (labels are strings between dots), each
label should not exceed 63 characters.

For more info: http://en.wikipedia.org/wiki/Domain_Name_System
(search for "Domain name syntax" part)

That raises question how nginx handles this kind of long hostnames, and
why it still pasess those invalid hostnames to backends (upstreams).

However it still passes it, and we want to filter that out. Because the
performance matters us much, we want to do that the best possible way.

CASE #1:

     if ($host ~* "^.{254,}$") {
         return 403;
     }

CASE #2: (this is probably more efficient)

     server {
         server_name     "~^.{254,}$";
         listen 80;
         return 403;
     }

Case #2 is probably more efficient, but in both cases are regular
expressions used. Would it matter if we put that server {} block at the
end of our server list?

Also would it make any sense to check for a dot (\.) in a server_name or
$host, and when not dot is present, return 403 as well?

Thanks for sharing your thoughts

Ondrej

--
Ondrej JOMBIK
Platon Technologies s.r.o., Hlavna 3, Sala SK-92701
+421 903 PLATON - info@platon.org - http://platon.org

My current location: Phoenix, Arizona
My current timezone: -0700 UTC (MST)
(updated automatically)
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2013-11-11 14:10
(Received via mailing list)
Hello!

On Sat, Nov 09, 2013 at 09:44:52PM +0100, Ondrej Jombik wrote:

> longest domain name should not be more than 253 characters. Also,
> splitting domain into labels (labels are strings between dots), each
> label should not exceed 63 characters.
>
> For more info: http://en.wikipedia.org/wiki/Domain_Name_System
> (search for "Domain name syntax" part)
>
> That raises question how nginx handles this kind of long hostnames, and
> why it still pasess those invalid hostnames to backends (upstreams).

While DNS names are indeed limited to no more than 255 octets,
it's not a case for HTTP, which can be used with non-DNS names as
well.

>
>     server {
>         server_name     "~^.{254,}$";
>         listen 80;
>         return 403;
>     }
>
> Case #2 is probably more efficient, but in both cases are regular
> expressions used.

Recommended use is to list valid names in a server_name
directives, and filter out anything else by using a default server
which returns an appropriate error.

Between the above two cases I would recommend case #2, mostly
because it's easier to support.

> Would it matter if we put that server {} block at the
> end of our server list?

As long as there are no other regexp server names in your
configuration - position doesn't matter, see
http://nginx.org/en/docs/http/server_names.html.

> Also would it make any sense to check for a dot (\.) in a server_name or
> $host, and when not dot is present, return 403 as well?

You may do so if your configuration assumes access via fully
qualified domain names only, and you are not hosting TLDs.
Otherwise it may cause problems.  See here for details:

http://en.wikipedia.org/wiki/Fully_qualified_domain_name

--
Maxim Dounin
http://nginx.org/en/donation.html
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.