<div dir="ltr">Thank you Fred,<div>This is helpful feedback.</div><div><br></div><div>The only reason that I was thinking it might be some kind of attack it's because this happened within an hour on three different machines (different environments - dev/staging/prod).</div><div><br></div><div>Best,</div><div>r.</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 22, 2016 at 2:57 PM, Fred Hebert <span dir="ltr"><<a href="mailto:mononcqc@ferd.ca" target="_blank">mononcqc@ferd.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 02/22, Roberto Ostinelli wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Dear list,<br>
I keep on seeing the following in the logs:<br>
<br>
Ranch listener nucleo_listener terminated with reason: no case clause<br>
matching 123 in cowboy_protocol:parse_hd_name_ws/8 line 276<br>
<br>
(code is here:<br>
<a href="https://github.com/ninenines/cowboy/blob/1.0.4/src/cowboy_protocol.erl#L276" rel="noreferrer" target="_blank">https://github.com/ninenines/cowboy/blob/1.0.4/src/cowboy_protocol.erl#L276</a>)<br>
<br>
Anyone using cowboy sees the same thing? I'm wondering if this is some kind<br>
of targeted attack on cowboy parsing.<br>
<br>
</blockquote>
<br></span>
123 is the ASCII code for '{'. What you see here is a header fabricated to look maybe a bit like this:<br>
<br>
My-Header-Name {whatever goes in here}<br>
<br>
This is not valid content. When cowboy sees the space after the header name, it expects to see more space or a colon, possibly because the header should look like:<br>
<br>
My-Header-Name : {whatever goes in here}<br>
<br>
But that colon is missing and all you get is that bracket right there.<br>
<br>
It would be easy to expect it to just be garbage over the line or incomplete stuff than a direct attack on cowboy itself aas far as I can tell. There's not too much to be found by just sending requests that end early like that, unless someone is doing some form of fuzzing, in which case you should find a lot more varied error logs along with this.<br>
<br>
The trick would be to look at the content that was sent over the line before and after that point. One possibility could be that some proxy or intermediary (I don't think cowboy itself is sensitive to that) could be hit by request smuggling: <a href="http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf" rel="noreferrer" target="_blank">http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf</a><br>
<br>
But only contextual information could help reveal that.<br>
<br>
Regards,<br>
Fred.<br>
</blockquote></div><br></div>