View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions Weird browser behavior: frequent empty (bad) requests
Log in to Ask a Question

Weird browser behavior: frequent empty (bad) requests

development

Hi all!

Weird thing started to happen. As part of the security onion, I ban all IPs that try connecting to the web server (Nginx) via IP directly and not through a hostname (fail2ban regex on access.log).

Today I found out that one of the legitimate clients got banned and upon closer inspection I found this logged for his requests:

xx.xx.xx.xx - - [23/Aug/2011:17:11:01 +0000] "-" 400 0 "-" "-" "-"

(IP censored)

So I figured there must be something wrong with his browser (Firefox 3.6 on Windows), but the log is full of such entries, for various remote IPs (not just this client's I suppose), beside standard webapp sniffers. I guess this client is the first who complained.

Tried to google for it, perhaps it's a bug in FF, but I came up short. Top entries in Google suggest clearing the cache, and I'll suggest that to the client but I'm sure there are no cookies involved with the domain they're accessing (basic auth over https). I also do not know if any other browsers are "affected" since there is no UA reported.

Anyone familiar with this issue?

2 Replies

My first thought was that this might be a relic of pre-fetching; many web browsers attempt to predict what the human is going to click on and start fetching it before they do, bailing out if the human decides to do something else.

But then I saw this: ~~[http://orensol.com/2009/01/18/nginx-and-weird-400-bad-request-responses/" target="_blank">](http://orensol.com/2009/01/18/nginx-and … responses/">http://orensol.com/2009/01/18/nginx-and-weird-400-bad-request-responses/]( … dunno, but it sounds plausible.

From an operational standpoint, I probably wouldn't use a fail2ban regexp like that, as it seems way too prone to false-positives. Plus, if it is something like a forum with user-generated content, all of your users could be taken out by some crazy git inserting an "image" like ![](http://67.18.187.140/sorry-guys/hoopyca … -42661.png">http://67.18.187.140/sorry-guys/hoopycat-did-this/thread-42661.png" />.

Yeah, googling for "Nginx 400 0" results with suggestions to drop cookie cache, and I'll suggest that to the client, though there are no cookies involved for the domain he's accessing.

Best thing to do will be to fire up tcpdump and correlate timestamps. :)

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct