4

I am migrating some applications from Apache 1.3 to 2.2.

We used to run some tests where attacker opens some HTTP connection to our server, and do nothing. Apache 1.3 would log the following 408 code, for example:

126.1.86.85 - - [01/Dec/2010:06:26:19 +0000] "-" 408 - "-" 0
126.1.86.85 - - [01/Dec/2010:06:26:19 +0000] "-" 408 - "-" 0

But with Apache 2.2, nothing is logged to the log file. I run the same test by using netcat to open the connection:

$ nc IP_victim PORT_victim
$ nc 10.42.37.3 80

I would like to have Apache 2.2 log the same 408 code to the log file, so that we would know of attempted DoS attack from the outside. Do I need any more configuration in Apache 2 to enable this?

I have tried some different configurations such as LogLevel = Debug, Timeout 30, RequestReadTimeout header=10 body=30.

Thanks.

Gant
  • 2,595
  • 2
  • 16
  • 8
  • When you say nothing is logged to the log file, do you mean nothing timeout related, or nothing at all? – Decado Mar 14 '11 at 08:48
  • @Decado Nothing timeout related is logged. Normal requests are logged normally. – Gant Mar 14 '11 at 10:28

1 Answers1

2

I found this in the Apache mailing list https://issues.apache.org/bugzilla/show_bug.cgi?id=39785. Which talks about this. This looks like it was resolved in apache release 2.2.2. This is the relevent check in http://svn.apache.org/viewvc?view=revision&revision=919323. It has a comment stating "Only log a 408 if it is no keepalive timeout."

So check to see if you have a value for KeepAlive set and check to make sure you're at version 2.2.2 or higher.

Decado
  • 1,949
  • 11
  • 17
  • Thanks for pointing this out. I found another thread in the list that suggests 408 will not be log when connection is open but nothing is sent. – Gant Mar 17 '11 at 04:12
  • http://httpd.markmail.org/search/?q=408#query:408+page:1+mid:5wvrigtabafkdir5+state:results – Gant Mar 17 '11 at 04:13