1

In my webserver log files I sometimes find such entries:
185.30.14.116 [2024-09-14T07:56:57+02:00] 400 | HOST-HDR "185.30.14.116" | SRV _:80" | URI "/"
So there is a request from 185.30.14.116 that my default server received (nginx). But the Host header is also 185.30.14.116!
I consider this security relevant because the header is obviously crafted.
My questions:

  1. Is there any chance a regular client user / client software would make such a request? (meaning that it is not security relevant)
  2. Why would an attacker do this, putting the client's IP into the Host header. What is the purpose of this attack/hack??

(my server has direct internet connectivity, no load balancing or similar in the way)

Improve this question
7
  • Why is it obviously crafted? Why is it security relevant? Commented Sep 14, 2024 at 8:16
  • @vidarlo This is not my IP. This IP in Host header would never be able to reach my server. Otherwise please someone tell me why a client software would do such a thing, and all is fine. I am just worried about entries in my weblogs I don't understand. That's why I ask this question here Commented Sep 14, 2024 at 8:22
  • 2
    @archygriswald: It might have been an accident, i.e. no sense at all. It might have been an attempt to check if the server somehow reflects this value in the response (like in the HTML or in a redirect) - see Exploiting HTTP redirect function via the Host header. It might have been an attempt to check if the server somehow connects to this IP, i.e. checking for SSRF. Best is to reject such clearly invalid requests in the first place (as seemt to be the case here - code 400) Commented Sep 14, 2024 at 9:15
  • 1
    Maybe you're checking this behind a CDN, load balancer or similar? That would require the X-Forwarded header to be accurate (needs configuration) Commented Sep 14, 2024 at 12:24
  • 2
    I don't see how this can be answered with facts rather than speculation. It's not even clear if this really is security-relevant -- it might as well be a simple bug in a completely benign client. When a server is reachable through the Internet, it's perfectly normal to get tons of garbage traffic from buggy clients, vulnerability scanners, poorly written malware and whatnot. A lot of times, you cannot really distinguish between those, nor is it particularly useful. Your system should have no trouble dealing with garbage input -- if it does, that's what you need to fix. Commented Sep 15, 2024 at 9:04

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.