5

In my log watch records there has been a steadily growing progression of these:

  408 Request Timeout
      null: 694 Time(s)

On my webserver.

Here are some of what look like the contributing requests from the /var/log/apache2/access.log access log:

ip - - date requestsfor"-"? httpcode bytes referrer useragent
75.149.117.146 - - [28/Jan/2013:17:49:47 -0500] "-" 408 0 "-" "-"
65.55.215.247 - - [28/Jan/2013:17:57:40 -0500] "-" 408 0 "-" "-"
205.157.206.75 - - [28/Jan/2013:18:00:21 -0500] "-" 408 0 "-" "-"

Normal access request examples of course have a lot more relevant info like this:

ip - - date request-for httpcode bytes referrer useragent
66.251.23.171 - - [28/Jan/2013:17:45:41 -0500] "GET /images/al/al-mb0608tn.jpg HTTP/1.1" 200 4085 "http://example.com/brands.php?F=S&BrandCode=AL" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"

See a larger sampling of my access log here (with a few normal get requests that 408 in with the rest)

I did reverse IP lookups on the ips, and they seem to come from diverse locations in the US and Canada. That could just mean that there is a proxy involved, I suppose? There is a large block from:

96.42.74.117 - - [18/Feb/2013:02:55:58 -0500] "-" 408 0 "-" "-"

That repeats frequently.

I hesitate to jump to conclusions that this is an attack as opposed to a fault, but the number of probes recorded has been steadily increasing at around the same time, e.g. logwatch also says

 A total of 125 sites probed the server
    107.22.9.89
    108.132.76.100
    108.172.60.59
    108.226.133.142
    12.166.56.82
    12.54.94.24

.... on and on with a list of various ips that used detected probes against the server. There is some overlap of the ips listing as "probing" the server and the ips that hit the access log with nulls, so that may suggest an attack, but since the server has to serve requests, it'll be hard to tell a legit timeout from a DOS request timeout attack if that's what is going on here.

How do I debug this problem, or if it is an attack, deal with this attack?

Kzqai
  • 1,278
  • 4
  • 18
  • 32
  • What is that? An apache error log? More details please – Mathias R. Jessen Feb 13 '13 at 13:46
  • The "408 request timeout null: 694 times" and "a total of 125 sites probed the server" messages are from the logwatch log summarizing app, which emails me out info about the server logs on a daily basis. The others are entries from a grep of /var/log/apache2/access.log I also clarified in my question now. – Kzqai Feb 13 '13 at 17:51
  • what is your value for `Timeout` in `httpd.conf`? – kei1aeh5quahQu4U Feb 13 '13 at 17:55
  • Looks like it is the rediculously high number of 300 seconds: # # Timeout: The number of seconds before receives and sends time out. # Timeout 300 – Kzqai Feb 13 '13 at 18:38
  • I've lowered it to 150 seconds, though I guess that will only increase the number of timeouts, of course, but I guess at least the requests that timeout wont hold onto resources. – Kzqai Feb 13 '13 at 18:43
  • Potentially related question: http://serverfault.com/questions/247051/logging-timeoutd-request-in-apache-2-x – Kzqai Feb 13 '13 at 18:54
  • @Tchalvak: how many 408 status in 1 minute? – quanta Feb 18 '13 at 03:07
  • I posted a longer sampling of the most recent 408 requests into the pastebin link. The hits are relatively infrequent, throughout the day. – Kzqai Feb 18 '13 at 19:25
  • http://blog.spiderlabs.com/2011/07/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html – quanta Feb 19 '13 at 16:04

4 Answers4

7

From some researching I did, these are some possibilities leading to 408 message. You can test each to identify the relevant one for your case.

1) Very low Apache TIMEOUT value - your web server could be ending the session before the client even get the chance to send a request.

too many 408 error codes in access log

2) browser predictive optimization - you can easily test this with different browsers. Simply do tail -f /var/log/apache2/access.log, while using relevant key words which would bring up your site on first search page, hover over the link pointing to your site, check if the site preview appears.....all these without clicking on the link which opens your website.

http://forum.linode.com/viewtopic.php?f=10&t=8048

3) denial of service attack - ddos warms such as slow loris can open too many connections to the server without sending a single bye tying up all the Apache processes.

http://blog.spiderlabs.com/2011/07/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html

A quote from above linke -

"The trick is to open a connection to the server but not send a single byte. Opening the connection and waiting requires almost no resources by the attacker, but it permanently ties up one Apache process to wait patiently for a request. Apache will wait until the timeout expires, and then close the connection. As of Apache 1.3.31, request-line timeouts are logged to the access log (with status code 408). Request line timeout messages appear in the error log with the level info. Apache 2 does not log such messages to the error log, but efforts are underway to add the same functionality as is present in the 1.x branch."

Community
  • 1
Daniel t.
  • 9,291
  • 1
  • 33
  • 36
  • Fair enough, the browser predictive optimization one seems like it may well fit the situation, especially since the error logs match. So I'll have to verify that myself later. Thanks. – Kzqai Feb 20 '13 at 16:21
  • Slowloris though would be keeping the connections alive from a single, or small group of IPs. That's not the pattern in Kzqai's log. He has a request here and there across time and space from different IPs other than the one IP in Rochester NY from 18/Feb/2013:01:37:32 which sends requests for around 90 minutes in the early morning. – ClearCrescendo Aug 11 '15 at 03:54
2

The majority of the 408 code server responses seem to be due to client timeouts rather than look aheads. I'm ruling out denial of service in the cases mentioned, my servers, and the referenced write-ups because the number of hits is low. I have tried but haven't been able to reproduce any 408 errors through look aheads in Safari, Chrome or Firefox under OS X. I also do not see them in most months on a local (non public) server which I would expect if they were normal browser behavior. It could be browsers looking ahead by opening connections and never using them for a request but I don't see that behavior with enough prevelance to account for the numbers of 408s on these public servers. While opening a connection with an empty request does get the connection started it makes more sense for a look ahead to be grabbing a resource or using OPTIONS (Which I also only see only in rare cross site and spider situations).

I did a DNS host lookup on a list of 47 IPs receiving 408 responses without an identified resource, agent or request sizes in the log from a lightly used public server. I ignored an additional 67 IPs where they differed by only the last tuple and represented them with the first in each set. So this is 47 different client networks/ISPs. Apache's TimeOut is the default 60 seconds. Of the 47, 20 produced machine names. Of these machines 10 (50%) were in mainland China, 5 in the US (25% and all OH, OK and NH) and 5 between Brazil, UK, Italy and Taiwan (ROC). I also suspect that a good proportion of the 27 IPs that did not result in a machine name are also in China but can't show that.

Of the 67 IPs ignored as their block was already represented 63 were Baidu spiders: baiduspider-*.crawl.baidu.com (If that seems excessive bear in mind that it is now larger than Yahoo or Bing in terms of searches per month - Second only to Google).

If it were modern browser behavior causing them I would have expected a higher proportion in the US. The server I logged is in The Bay Area. Instead I think this is primarily network congestion causing connections to take too long to setup and allow the full request to be sent and received before the connection is dropped or timed out by Apache. In particular the extreme congestion due to demand growth, inadequate cross border bandwidth and national firewall infrastructure in China. It could also be deliberate forged connection resets but there's no reason to expect that for this. The remainder being home users with poor connections or unfortunate equipment situations elsewhere.

I think the problem is primarily a client end connectivity issue but you may want to have a conciliatory, and non graphical, 408 error page. Though judging by the 0 size shown in the log for the outbound response, Apache isn't using the error page.

ClearCrescendo
  • 121
  • 3
0

In my case, Apache was being overloaded. The answer was to turn off KeepAlive and increase MaxClients in apache.conf.

Kohjah Breese
  • 171
  • 2
  • 13
0

I had this issue when I modified my Apache config for my FastCGI server.

Increasing the -idle-timeout value from 60 to 900 gave me a few sleepless nights as I couldn't trace the 408 errors to this small change.

Glad I finally fixed it by returning this to 60.

DoctorFox
  • 1
  • 1