I keep getting QUIT and CONNECT HTTP methods sent to my server, what do they mean?

StackOverflow https://stackoverflow.com/questions/1895760

Question

I keep getting the two following errors from my server, I assumed they were just bots looking for potential targets, but does anyone know specifically why I'm getting these? I'm using the SslRequirement plugin to make sure all hits to the login/signup page are redirected to SSL, so all of these weird https requests to root should just be redirected to regular http.

A ActionController::UnknownHttpMethod occurred in application#index: quit, accepted HTTP methods are get, head, put, post, delete, and options

/usr/local/lib/ruby/gems/1.9.1/gems/actionpack-2.3.4/lib/action_controller/request.rb:35:in `request_method'

  • PATH_INFO : /
  • REMOTE_ADDR : 99.19.208.249
  • REMOTE_PORT : 6376
  • REQUEST_METHOD : CONNECT
  • REQUEST_URI : /
  • SERVER_PORT : 443
  • SERVER_PROTOCOL : HTTP/1.0
  • SERVER_SOFTWARE : Apache

A ActionController::UnknownHttpMethod occurred in application#index: CONNECT, accepted HTTP methods are get, head, put, post, delete, and options

/usr/local/lib/ruby/gems/1.9.1/gems/actionpack-2.3.4/lib/action_controller/request.rb:35:in `request_method'

  • HTTPS : on
  • HTTP_X_FORWARDED_PROTO : https
  • PATH_INFO : /
  • REMOTE_ADDR : 91.209.196.76
  • REMOTE_PORT : 50751
  • REQUEST_METHOD : quit
  • REQUEST_URI : /
  • SERVER_PORT : 443
  • SERVER_PROTOCOL : HTTP/0.9
Was it helpful?

Solution

The CONNECT command is used by HTTP proxy servers to indicate that the client wants to just connect a socket directly to another server; this is usually used for tunneling TLS over an HTTP proxy, but could be used for tunneling almost any protocol.

QUIT is not an HTTP command, but it is an SMTP command. It is possible that you are getting these commands from a bot that is trying to find open relays for sending spam; it's trying to figure out if you have an open SMTP relay, or an open HTTP proxy that allows the CONNECT command which could also be used to tunnel SMTP traffic.

So, likely you're just being hit by a spam botnet trying to find open relays. My advice would be to drop such requests as early as possible, and not worry about them.

OTHER TIPS

CONNECT: http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.9

QUIT usually means 'close the connection'.

# Avoid annoying ActionController::UnknownHttpMethod exceptions like:
#
#   ActionController::UnknownHttpMethod) "CONNECT, accepted HTTP methods are get, head, put, post, delete, and options"
#
# Install this file in app/metal and these requests will receive a 405
# "Method Not Allowed" status and will be logged under `info'.
class IgnoreUnknownHttpMethod
  def self.call(env)
    [
     if ActionController::Request::HTTP_METHODS.include?(env["REQUEST_METHOD"].downcase)
       404 # Not Found
     else
       Rails.logger.info("Ignoring unknown HTTP method; #{env.inspect}")

       405 # Method Not Allowed
     end, {"Content-Type" => "text/plain"}, []]
  end
end

Credit https://gist.github.com/remvee/600569

I just noticed a few attempt to connect to my servers as follow, we see that it ends with a QUIT...

198.20.87.98 - - [22/Dec/2015:21:43:42 -0800] "GET / HTTP/1.1" 444 5666 "-" "-"
198.20.87.98 - - [22/Dec/2015:21:43:42 -0800] "GET /robots.txt HTTP/1.1" 444 5666 "-" "-"
198.20.87.98 - - [22/Dec/2015:21:43:42 -0800] "GET /sitemap.xml HTTP/1.1" 444 5666 "-" "-"
198.20.87.98 - - [22/Dec/2015:21:43:58 -0800] "quit" 405 5461 "-" "-"
  • As a side note, my server returns 444 which is not a legal HTTP code. It means NO RESPONSE and I do that because their "Agent String" is empty.

Looking at the IP address, I found a search engine that searches for things on the internet. Not a hacker trying to break in per se. (There intend is not evil, it seems.) I suppose that some of the applications they are checking for must understand the QUIT. So as a robot, it makes sense that you would want to try what would otherwise looks like weird commands such as CONNNECT and QUIT. There is no real limit to the commands an application can support, even if those commands are not official HTTP commands.

If your application does not understand these methods, then nothing will happen so you should not bother too much about these.

If your application receives those methods, then you may want to write a little something at the start to get the method and compare to GET and POST (and whatever else you support, like DELETE and PUT) and if it matches none of these, then reply with a 405 error code: "Method Not Allowed".

http://tools.ietf.org/html/rfc7231#section-6.5.5

If you cannot change your application and you are not sure whether it could react to a CONNECT / QUIT hit, then you could look into using a setup such as mod_security for Apache2.

as per jturkel at https://gist.github.com/remvee/600569. In Rails 3.2 for non http actions I added the following at the end of config/application.rb and solved the problem for quit.

# silence ActionController::UnknownHttpMethod exceptions
ActionDispatch::ExceptionWrapper.rescue_responses.merge!( 'ActionController::UnknownHttpMethod' => :method_not_allowed )
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top