暗拖:发送的cookie数量超过200，可能是服务器攻击吗？

Question

我刚刚在服务器日志中发现了一个异常，它似乎不是由使用我的Java EE7应用程序的员工触发的。这种情况发生在Wildfly-8.1.0.Final安装上。

上面写着Exception handling request to /manager/html/upload: java.lang.IllegalStateException: UT000046: The number of cookies sent exceeded the maximum of 200，但日志上说当时还没有登录用户。而且，甚至不存在资源/manager/html/upload。

我通过sshd注册了许多自动入侵者尝试，这是否也是由于一个机器人试图强行使用一个可能的后端造成的？

这是否会影响正常应用程序的使用，是否有办法防止此类错误？

下面是完整的堆栈跟踪：

2014-11-27 14:55:10,655 ERROR [io.undertow.request] (default task-9) UT005023: Exception handling request to /manager/html/upload: java.lang.IllegalStateException: UT000046: The number of cookies sent exceeded the maximum of 200
    at io.undertow.util.Cookies.createCookie(Cookies.java:285) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.util.Cookies.parseCookie(Cookies.java:221) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.util.Cookies.parseRequestCookies(Cookies.java:181) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.HttpServerExchange.getRequestCookies(HttpServerExchange.java:1003) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.session.SessionCookieConfig.findSessionId(SessionCookieConfig.java:83) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.spec.SessionCookieConfigImpl.findSessionId(SessionCookieConfigImpl.java:58) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at org.wildfly.extension.undertow.session.CodecSessionConfig.findSessionId(CodecSessionConfig.java:56)
    at io.undertow.server.session.InMemorySessionManager.getSession(InMemorySessionManager.java:142) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.spec.ServletContextImpl.getSession(ServletContextImpl.java:677) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.spec.HttpServletRequestImpl.getSession(HttpServletRequestImpl.java:353) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at org.jboss.weld.servlet.SessionHolder.requestInitialized(SessionHolder.java:47) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
    at org.jboss.weld.servlet.HttpContextLifecycle.requestInitialized(HttpContextLifecycle.java:168) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
    at org.jboss.weld.servlet.WeldInitialListener.requestInitialized(WeldInitialListener.java:153) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
    at io.undertow.servlet.core.ApplicationListeners.requestInitialized(ApplicationListeners.java:216) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:239) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]
    at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]

2014-11-27 14:55:10,663 ERROR [io.undertow.request] (default task-9) UT005022: Exception generating error page /errors/error.xhtml: java.lang.RuntimeException: java.lang.IllegalStateException: UT000046: The number of cookies sent exceeded the maximum of 200
    at io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:408) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:319) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:263) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]
    at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]
Caused by: java.lang.IllegalStateException: UT000046: The number of cookies sent exceeded the maximum of 200
    at io.undertow.util.Cookies.createCookie(Cookies.java:285) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.util.Cookies.parseCookie(Cookies.java:221) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.util.Cookies.parseRequestCookies(Cookies.java:181) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.HttpServerExchange.getRequestCookies(HttpServerExchange.java:1003) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.session.SessionCookieConfig.findSessionId(SessionCookieConfig.java:83) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.spec.SessionCookieConfigImpl.findSessionId(SessionCookieConfigImpl.java:58) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at org.wildfly.extension.undertow.session.CodecSessionConfig.findSessionId(CodecSessionConfig.java:56)
    at io.undertow.server.session.InMemorySessionManager.getSession(InMemorySessionManager.java:142) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.spec.ServletContextImpl.getSession(ServletContextImpl.java:677) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.spec.HttpServletRequestImpl.getSession(HttpServletRequestImpl.java:353) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at org.omnifaces.filter.HttpFilter.doFilter(HttpFilter.java:76) [omnifaces-1.8.1.jar:1.8.1-20140603]
    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:229) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:172) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:402) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    ... 10 more

2014-11-27 14:55:10,673 ERROR [io.undertow.servlet.request] (default task-9) UT015005: Error invoking method requestDestroyed on listener class org.jboss.weld.servlet.WeldInitialListener: java.lang.NullPointerException
    at org.jboss.weld.context.AbstractBoundContext.deactivate(AbstractBoundContext.java:71) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
    at org.jboss.weld.context.http.HttpRequestContextImpl.deactivate(HttpRequestContextImpl.java:70) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
    at org.jboss.weld.servlet.HttpContextLifecycle.requestDestroyed(HttpContextLifecycle.java:225) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
    at org.jboss.weld.servlet.WeldInitialListener.requestDestroyed(WeldInitialListener.java:136) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
    at io.undertow.servlet.core.ApplicationListeners.requestDestroyed(ApplicationListeners.java:225) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:283) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]
    at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]

2014-11-27 14:55:10,674 ERROR [io.undertow.request] (default task-9) Blocking request failed HttpServerExchange{ GET /errors/error.xhtml}: java.lang.IllegalStateException: UT000046: The number of cookies sent exceeded the maximum of 200
    at io.undertow.util.Cookies.createCookie(Cookies.java:285)
    at io.undertow.util.Cookies.parseCookie(Cookies.java:221)
    at io.undertow.util.Cookies.parseRequestCookies(Cookies.java:181)
    at io.undertow.server.HttpServerExchange.getRequestCookies(HttpServerExchange.java:1003)
    at io.undertow.server.session.SessionCookieConfig.findSessionId(SessionCookieConfig.java:83)
    at io.undertow.servlet.spec.SessionCookieConfigImpl.findSessionId(SessionCookieConfigImpl.java:58)
    at org.wildfly.extension.undertow.session.CodecSessionConfig.findSessionId(CodecSessionConfig.java:56)
    at io.undertow.server.session.InMemorySessionManager.getSession(InMemorySessionManager.java:142)
    at io.undertow.servlet.spec.ServletContextImpl.getSession(ServletContextImpl.java:677)
    at io.undertow.servlet.spec.ServletContextImpl.getSession(ServletContextImpl.java:707)
    at io.undertow.servlet.spec.ServletContextImpl.updateSessionAccessTime(ServletContextImpl.java:711)
    at io.undertow.servlet.spec.HttpServletResponseImpl.responseDone(HttpServletResponseImpl.java:522)
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:287)
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227)
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73)
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146)
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177)
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]
    at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]

Answer 1

我再次回顾了这一点，我发现，似乎是一种削弱(实际上是)的安全措施。

起初，我认为，在特定的时间框架内，潜航不能产生有限数量的cookie，但情况不应该是这样的。如果攻击者试图通过向请求发送大量cookie来攻击您的web服务器，则会引发此异常，可能会导致缓冲区溢出。

这里是来源的一部分，我是从这里得到这个想法的，以防链接死了：

太多的厨师被要求 详细说明 每个HTTP请求都可能包含cookie。这些cookie包含发送请求的用户的附加属性，如个性化信息、会话标识符等。由于cookies是由服务器而不是由客户端设置的，因此每个应用程序的cookie数量通常是静态的。 什么意思？ 在两种主要情况下，攻击者可能希望发送包含多个cookie的请求。一种情况是试图发送大量cookie数据，这可能导致解析机制失败。攻击者将注入额外cookie的另一种情况是试图欺骗依赖cookie数据的安全组件。 可能的攻击 与此冲突相关的最有可能的攻击是针对web服务器解析机制或对处理cookie的应用程序的缓冲区溢出攻击。它还可能涉及各种拒绝服务攻击，以及规避安全机制。 检测攻击 此冲突的单个实例表示攻击者试图发送包含太多cookie的请求。用户不能意外地创建额外的cookie。 假阳性的检测 一些应用程序实际上可能会使用大量的cookie。这可能是通过cookie在客户端存储许多变量的结果，或者是使用动态生成的cookie的结果，这些cookie在整个会话中不断地被替换，而不适当地擦除过期的cookie。