Web Server Error Response Spike Indicating Reconnaissance
An unusual spike in web server error codes (500, 502, 503, 504) may indicate reconnaissance activities like vulnerability scanning or fuzzing, where attackers probe for weaknesses, potentially leading to exploitation of server-side issues.
This threat brief addresses the risk of reconnaissance activities targeting web servers, specifically focusing on the detection of unusual spikes in HTTP error response codes (500, 502, 503, and 504). An adversary might employ vulnerability scanning or fuzzing techniques to identify weaknesses in web applications. These actions often result in a high volume of error responses as the attacker probes various endpoints and inputs. The detection rule applies to various web server platforms, including Nginx, Apache, Apache Tomcat, IIS, and Traefik. This activity is significant for defenders because successful reconnaissance can precede more severe attacks, such as data exfiltration or system compromise, by revealing exploitable vulnerabilities. The rule is designed to trigger when the number of 5xx errors exceeds a defined threshold within a specified time interval.
Attack Chain
- The attacker initiates a reconnaissance phase by sending a series of HTTP GET requests to the target web server.
- The attacker uses vulnerability scanning tools to probe for known weaknesses in the web application, generating various types of requests, including invalid or malformed URLs.
- The web server processes each request, and those that encounter errors (e.g., invalid input, non-existent pages, server-side exceptions) result in 5xx error codes.
- A high volume of these error responses are generated over a short period if the scanning tool aggressively probes the web server.
- The attacker analyzes the error responses to identify potential vulnerabilities or misconfigurations.
- The attacker may use identified vulnerabilities to perform additional scans or attempt to exploit the system.
- If successful, the attacker gains unauthorized access to the web server or underlying system.
- The attacker may proceed to further escalate privileges, install malware, or exfiltrate sensitive data.
Impact
A successful reconnaissance campaign can lead to the discovery of vulnerabilities that allow attackers to compromise web servers. This can result in data breaches, service disruptions, and reputational damage. While the error spike itself is a low-severity indicator, it can be a precursor to more critical attacks. The number of affected systems can range from a single server to an entire infrastructure, depending on the scope of the attacker's reconnaissance.
Recommendation
- Deploy the Sigma rule "Web Server Potential Error Response Spike" to your SIEM to detect unusual spikes in 5xx error codes (rule.name).
- Investigate any alerts generated by the Sigma rule, focusing on the source IP addresses and requested URLs to identify potential scanners (rule.note).
- Implement rate limiting and blocking mechanisms at the edge (e.g., reverse proxy, WAF) to mitigate identified malicious traffic (rule.note).
- Review web server and application logs for patterns indicative of vulnerability scanning or fuzzing attempts, paying attention to User-Agent strings and request parameters (rule.note).
Detection coverage 2
Web Server Potential Error Response Spike
lowDetects a spike in 5xx error codes from a single source IP, indicating potential scanning or fuzzing activity.
Web Server Multiple Error Codes from Single IP
lowDetects multiple HTTP 5xx status codes originating from a single IP address within a short timeframe, suggesting scanning activity.
Detection queries are available on the platform. Get full rules →