Strange requests in access logs lead to IllegalArgumentException

Question

I am using tomcat8.0.43 as my server.

When reviewing my logs, occasionally I see:

[...]INFO[...] org.apache.coyote.http11.AbstractHttp11Processor.process Error parsing HTTP request header
Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level. java.lang.IllegalArgumentException: Invalid character found in the HTTP protocol

Or:

java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986

If I look at my access logs, I see that the urls that were requested to yield these exceptions were things like:

"GET /scripts/index.php?OPT_Session= null" 400

or:

"GET null null" 400

Was I correct in identifying the requests that caused the exceptions to be thrown?

Is there anything that I can do to stop these exceptions from being thrown or restrict these requests from being made?

A normal browser doesn't even allow a client to enter a url with a space in it. It appears these requests do have spaces in them though.

Thanks.

Answer 1

The requests are most probably attacks. If you are running an Internet-facing web server you have to live with them. It is fairly common to put a web server such as Apache in front of Tomcat, possibly configured with mod_security (https://modsecurity.org). In addition you could use fail2ban or a similar solution in order to ban IPs based on errors in the log. However, in my recent experience attackers tend to use a wide range of IP addresses, so fail2ban may not be very effective.