Akamai blocks unordered HTTP request headers (opens in new tab)

(gwillem.gitlab.io)

43 pointsgwillem9y ago11 comments

11 comments

11 comments · 6 top-level

squeed9y ago· 3 in thread

Is it Akamai? Or is it a single site on Akamai? CDN customers can configure their sites in a million ways.

My guess is a single site that was getting DDoS'd added this as an attack signature and forgot about it.

My money, in this case, is something like Akamai Kona or Shape Security, that does bot blocking. Comparing user-agent against known header order for that specific user-agent sounds like something they would do.

jnfurst9y ago

This is just a single sites configuration.

bluesmoon9y ago

Well, everybody knows that in statistics, a sample size of 1 gives you a 0 margin of error ;)

idbehold9y ago· 2 in thread

In the second example the author does the following:

  $ ACCEPT="text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
  $ curl -v -H "$UA" -H "$ACCEPT" $URL |& grep '< HTTP'

The author fails to prefix $ACCEPT with the actual header key. It should be:

  $ curl -v -H "$UA" -H "Accept: $ACCEPT" $URL |& grep '< HTTP'

jstanley9y ago

From personal experience I'd be willing to give him the benefit of the doubt (i.e. he did it right, but wrote it up wrong). Good spot though.

gwillemOP9y ago

Thanks! Indeed a copy paste error, I updated the article.

jnfurst9y ago

This is just the configuration for a single site. The author did not even try it against www.akamai.com:

$ URL=http://www.akamai.com

$ UA="User-Agent: Mozilla/5.0 My API Client"

$ ACCEPT="Accept: /"

$ curl -v -H "$UA" -H "$ACCEPT" $URL

< HTTP/1.1 301 Moved Permanently

< Content-Length: 0

< Location: https://www.akamai.com

< Date: Tue, 02 May 2017 14:46:59 GMT

< Connection: keep-alive

michaelmior9y ago

> most libraries use random order

Most libraries use an undefined order. This is not the same as random.

1 more reply

AznHisoka9y ago

Did Akamai recently just make this change?

I'm asking because I've been running a web crawler for years now, and in the past week, I have noticed that the crawler is being rejected in more websites then usual.

gumby9y ago

I disagree with the author's title (and I see it was submitted with a different title).

This is actually a report of two bugs:

1- the standard doesn't require an order

2 - the IETF's admonition that you be liberal in what you accept.

j / k navigate · click thread line to collapse

11 comments

11 comments · 6 top-level

squeed9y ago· 3 in thread

Is it Akamai? Or is it a single site on Akamai? CDN customers can configure their sites in a million ways.

My guess is a single site that was getting DDoS'd added this as an attack signature and forgot about it.

tyingq9y ago

jnfurst9y ago

This is just a single sites configuration.

bluesmoon9y ago

Well, everybody knows that in statistics, a sample size of 1 gives you a 0 margin of error ;)

idbehold9y ago· 2 in thread

In the second example the author does the following:

  $ ACCEPT="text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
  $ curl -v -H "$UA" -H "$ACCEPT" $URL |& grep '< HTTP'

The author fails to prefix $ACCEPT with the actual header key. It should be:

  $ curl -v -H "$UA" -H "Accept: $ACCEPT" $URL |& grep '< HTTP'

jstanley9y ago

From personal experience I'd be willing to give him the benefit of the doubt (i.e. he did it right, but wrote it up wrong). Good spot though.

gwillemOP9y ago

Thanks! Indeed a copy paste error, I updated the article.

jnfurst9y ago

This is just the configuration for a single site. The author did not even try it against www.akamai.com:

$ URL=http://www.akamai.com

$ UA="User-Agent: Mozilla/5.0 My API Client"

$ ACCEPT="Accept: /"

$ curl -v -H "$UA" -H "$ACCEPT" $URL

< HTTP/1.1 301 Moved Permanently

< Content-Length: 0

< Location: https://www.akamai.com

< Date: Tue, 02 May 2017 14:46:59 GMT

< Connection: keep-alive

michaelmior9y ago

> most libraries use random order

Most libraries use an undefined order. This is not the same as random.

1 more reply

AznHisoka9y ago

Did Akamai recently just make this change?

I'm asking because I've been running a web crawler for years now, and in the past week, I have noticed that the crawler is being rejected in more websites then usual.

gumby9y ago

I disagree with the author's title (and I see it was submitted with a different title).

This is actually a report of two bugs:

1- the standard doesn't require an order

2 - the IETF's admonition that you be liberal in what you accept.

j / k navigate · click thread line to collapse