Apache and 408s

Patrick Cole z at amused.net
Sat Sep 22 17:58:16 EST 2001

Mon, Sep 17, 2001 at 05:14:06PM +1000, Peter Barker wrote:

> 	How many sysadmins out there have been seeing lots of 408s in
> their error logs? e.g.
> zzz.32.124.98 - - [17/Sep/2001:17:13:59 +1000] "-" 408 -
> 	408 is HTTPish for "request timed out" - seems like people are
> connecting and then not sending their request through.
> 	Anybody have any clues what it is? Seems rather odd for a
> portscan, since they should probably disconnect after scanning the port,
> and not time out.

This newest derivation of the Code red virus as well as directing attacks
to machines close by, and random hosts, also opens connections to port 80
and keeps them open, sending either garble or no data at all, hence
causing the web server to eventually hit its MaxClients limit and stop
accepting connections. I got around this by setting the 'Timeout' value
in httpd.conf to 3 seconds, but since I havn't been able to establish
a pattern to the requests there is really no way to filter them. 

As far as the attacks go, I've written a netfilter user space queueing 
daemon that scans the data of the packets it receives and drops them if 
they are web requests pertaining to the multitude of IIS/etc issues the
virus tries to exploit. If anyone would like a copy let me know.

Patrick Cole - Debian Developer <ltd at debian.org>
             - John Curtin, ANU <Patrick.Cole at anu.edu.au>
             - Linear-G Network Solutions <z at linearg.com>
             - PGP 1024R/60D74C7D C8E0BC7969BE7899AA0FEB16F84BFE5A   

More information about the linux mailing list