Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
October 2016 Issue of Securing the Human "Ouch!" Newsletter
ISC Stormcast For Wednesday, October 5th 2016

SSL Requests to non-SSL HTTP Servers

Published: 2016-10-05
Last Updated: 2016-10-05 02:34:26 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

This isn't really new. But two readers submitted logs like this today. So I figured it is time for a reminder.

If you see requests like this in your weblogs: 

a.b.c.d - - [04/Oct/2016:14:57:34 +0000] "\x16\x03\x02\x00\xDC\x01\x00\x00\xD8\x03\x02SC[\x90\x9D\x9Br\x0B\xBC\x0C\xBC+\x92\xA8H\x97\xCF\xBD9\x04\xCC\x16" 400 166 "-" "-"

The reason is almost always an SSL request sent to a non SSL server. In particular if you are running a web server on a port other then port 80 (e.g. 8080 or 8000), you will see attackers trying to scan your server assuming that it is running SSL.

To decode the byte sequence above:

\x16 - This indicates a "handshake". Typically, connections start with a client hello.
\x03\x02 - the SSL/TLS version. In this case "cutting edge" TLS 1.1 (0x03 0x01 is TLS 1.0)
\x00\0xDC - the length of the message. 0xDC = 220 Bytes.
\x01 - indeed.. a client hello (server hello would be '2')
\x00\x00\xD8 - the length of the client hello part of the message ( 216 Bytes)
\x03\x02 - SSL/TLS version again 
SC[\x90  - four byte time stamp (only non-printable characters use the \x encoding. So this translates to 0x53 0x43 0x5B 0x90
followed by some random bytes...

You will find various versions of this, depending on the SSL/TLS version used, the number of ciphers offered and the like.


Johannes B. Ullrich, Ph.D.

0 comment(s)
Diary Archives