HTTP SEARCH Protocol attacks

Yesterday my server got hit by about 15 attempts to find what I guess to be some kind of buffer overflow vulnerability in my webserver using some kind of HTTP SEARCH method. Never knew there was such a method until now. At first, about the only verifiable reference I could find about it was an old W3C page indicating it was only a proposed method. No mention of it in the HTTP RFC 2616 document at all. Then I found (thanks to Google) a reference in someone's presentation on DAV properties starting here. Seems to be a DAV thing. I only found mention the SEARCH method in a draft document.

The client invokes the SEARCH method to initiate a server-side search. The body of the request defines the query. The server MUST emit an entity matching the [RFC2518] PROPFIND response.

The SEARCH method plays the role of transport mechanism for the query and the result set. It does not define the semantics of the query. The type of the query defines the semantics.

Of course now that I know it's a DAV thing, there's plenty of stuff out there about it.

Basically the attack consisted of sending a really long SEARCH request (similar to sending a HEAD/GET/POST request I suppose) containing well over 8K worth of \x90, \xb1, \x02 and probably followed by other things. Apache 2 logs it as "request failed: URI too long (longer than 8190)". I take that as a good sign Apache 2 isn't vulnerable to this kind of attack.

All of the requests came from very different IP addresses which points to some kind of DDoS type of attack.

Always a good idea to keep an eye on the log files. They can tell you a lot about what's going on with your system. One of these days I'll have to make like every other decent sysadmin type out there and set up some scripts that scan the log files and mail me the interesting bits.