Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SSL Requests to non-SSL HTTP Servers SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SSL Requests to non-SSL HTTP Servers

This isn't really new. But two readers submitted logs like this today. So I figured it is time for a reminder.

If you see requests like this in your weblogs: 

a.b.c.d - - [04/Oct/2016:14:57:34 +0000] "\x16\x03\x02\x00\xDC\x01\x00\x00\xD8\x03\x02SC[\x90\x9D\x9Br\x0B\xBC\x0C\xBC+\x92\xA8H\x97\xCF\xBD9\x04\xCC\x16" 400 166 "-" "-"

The reason is almost always an SSL request sent to a non SSL server. In particular if you are running a web server on a port other then port 80 (e.g. 8080 or 8000), you will see attackers trying to scan your server assuming that it is running SSL.

To decode the byte sequence above:

\x16 - This indicates a "handshake". Typically, connections start with a client hello.
\x03\x02 - the SSL/TLS version. In this case "cutting edge" TLS 1.1 (0x03 0x01 is TLS 1.0)
\x00\0xDC - the length of the message. 0xDC = 220 Bytes.
\x01 - indeed.. a client hello (server hello would be '2')
\x00\x00\xD8 - the length of the client hello part of the message ( 216 Bytes)
\x03\x02 - SSL/TLS version again 
SC[\x90  - four byte time stamp (only non-printable characters use the \x encoding. So this translates to 0x53 0x43 0x5B 0x90
followed by some random bytes...

You will find various versions of this, depending on the SSL/TLS version used, the number of ciphers offered and the like.

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

Johannes

3693 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!