Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SSL Requests to non-SSL HTTP Servers SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SSL Requests to non-SSL HTTP Servers

This isn't really new. But two readers submitted logs like this today. So I figured it is time for a reminder.

If you see requests like this in your weblogs: 

a.b.c.d - - [04/Oct/2016:14:57:34 +0000] "\x16\x03\x02\x00\xDC\x01\x00\x00\xD8\x03\x02SC[\x90\x9D\x9Br\x0B\xBC\x0C\xBC+\x92\xA8H\x97\xCF\xBD9\x04\xCC\x16" 400 166 "-" "-"

The reason is almost always an SSL request sent to a non SSL server. In particular if you are running a web server on a port other then port 80 (e.g. 8080 or 8000), you will see attackers trying to scan your server assuming that it is running SSL.

To decode the byte sequence above:

\x16 - This indicates a "handshake". Typically, connections start with a client hello.
\x03\x02 - the SSL/TLS version. In this case "cutting edge" TLS 1.1 (0x03 0x01 is TLS 1.0)
\x00\0xDC - the length of the message. 0xDC = 220 Bytes.
\x01 - indeed.. a client hello (server hello would be '2')
\x00\x00\xD8 - the length of the client hello part of the message ( 216 Bytes)
\x03\x02 - SSL/TLS version again 
SC[\x90  - four byte time stamp (only non-printable characters use the \x encoding. So this translates to 0x53 0x43 0x5B 0x90
followed by some random bytes...

You will find various versions of this, depending on the SSL/TLS version used, the number of ciphers offered and the like.


Johannes B. Ullrich, Ph.D.


4277 Posts
ISC Handler
Oct 5th 2016

Sign Up for Free or Log In to start participating in the conversation!