Hunting down abusive connections

sribe · February 7, 2022, 5:02am

This is maybe a Cowboy question, not sure if there’s a way forward in Elixir/Phoenix without diving into Erlang/Cowboy, but I’d sure like to know if there is. In a Phoenix app, the logs are just about useless because they are filled with a constant stream of the error below. Is there a config I can change to log a bit more info about these requests, so I can find the source and shut it down or block it?

10:34:23.488 [error] Cowboy returned 400 because it was unable to parse the request headers.

This may happen because there are no headers, or there are too many headers
or the header name or value are too large (such as a large cookie).

You can customize those values when configuring your http/https
server. The configuration option and default values are shown below:
protocol_options: [
  max_header_name_length: 64,
  max_header_value_length: 4096,
  max_headers: 100,
  max_request_line_length: 8096
]

realcorvus · February 7, 2022, 4:43pm

Another user on here was able to attach a telemetry handler, How to log malformed requests which cause cowboy to terminate request? - #2 by heathen

What environment is your app hosted in?

al2o3cr · February 7, 2022, 5:22pm

One way I’ve seen an error like this happen is if you put a large struct into the Phoenix session - the cookie can puff up bigger than 4KB and break things. For instance, a whole SAML response…

sribe · February 8, 2022, 3:18pm

Thanks! (It’s hosted on bare metal Linux server to which I have root access.)

sribe · February 8, 2022, 3:20pm

Ah, good to know. But I put like 2 UUIDs and a timestamp in the cookie, so that’s not the case here. The requests are extremely regular and 24/7, so I’m pretty sure it’s an external probe.