access_log - what is 408???

[craigedmonds]

Some clients have mentioned their sites are running a little slow today and upon investigation I can see that the /usr/local/apache/logs/access_log is going mental with these types of entries below.....like thousands every minute from different ip's.

My server load is fine. Idle is 98% most times. mod_qos is not picking anything up in error_log apart from the occasional mod_qos entry.

Could this be another type of attack?

Should I be blocking anyb ip's registering in the access_log with +20 attempts?

208.180.198.235 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
208.180.198.235 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
176.33.110.202 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
176.33.110.202 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
78.93.53.146 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
78.93.53.146 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
87.239.28.229 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
87.239.28.229 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
213.87.143.113 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
213.87.143.113 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
151.240.131.199 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
151.240.131.199 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
41.254.5.34 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
41.254.5.34 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
71.189.193.181 - - [19/Feb/2014:14:03:43 +0000] "-" 408 -
71.189.193.181 - - [19/Feb/2014:14:03:43 +0000] "-" 408 -
71.175.133.235 - - [19/Feb/2014:14:03:43 +0000] "-" 408 -

 

[cPanelMichael]

Hello

It's possible that it's an attack, but it's difficult to say for sure based solely on that log output. Have you tried blocking those IP addresses using your firewall to see if the slowness improves? Searching for "Apache 408 code" on Google yields several results that you might find useful.

Thank you.

 

[cPanelPeter]

Hello,

According to this wikipedia link, 408 means Request Timeout

408 Request Timeout

The server timed out waiting for the request.[2] According to W3 HTTP specifications: "The client did not produce a request within the time that the server was prepared to wait. The client MAY repeat the request without modifications at any later time."

 

[craigedmonds]

Hi,

Yes, thats correct. But Timeout for what? cPanel is not helping me by telling me what it is.

This entry below, means absolutely nothing and seeing the server is being hit at a rate of 30 ip's a second from seemingly random ip's, I am kind of stuck as to what to do.

208.180.198.235 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -

For example, this ip, what is it trying to access? Port 443? Port 80? Which web site? Which Ip?

All what I have seen about this explains it vaguely at best.

Its all kind of depressing.

 

[vanessa]

Craig -

If it's in the Apache log, you know it's port 80 or 443. There might be an SSL log in the logs folder that narrows this down for you.

Either way, this is an attack and it's pretty common. It happens to all of us. If it's just a few IPs you can consider just blocking them (assuming you have a firewall on your server). Mod_reqtimeout might help with this, but I've never specifically used this on a client's server for 408 errors, because they typically don't actually cause a problem.

EasyApache: Custom Modules (

 

[craigedmonds]

Craig -

If it's in the Apache log, you know it's port 80 or 443. There might be an SSL log in the logs folder that narrows this down for you.

Either way, this is an attack and it's pretty common. It happens to all of us. If it's just a few IPs you can consider just blocking them (assuming you have a firewall on your server). Mod_reqtimeout might help with this, but I've never specifically used this on a client's server for 408 errors, because they typically don't actually cause a problem.

EasyApache: Custom Modules (

I am seeing them in /var/log/httpd/audit_log

Going to find the ssl log now.

I am using ASL firewall from gotroot.com. I have just emailed them also to look into it.

And yeah, I have 14 production cpanel server and they get attacked all the time mainly with wordpress attacks but this server is the only one that this weird 408 issue is happening with. Its almost like the attackers have tried everything and this finally works!

Due to the amount of 408 entries, its the only thing I can think of causing a slowdown on the server and like I said, load is low, idle is high, port 80 connection are non existant.

- - - Updated - - -

Craig -

If it's in the Apache log, you know it's port 80 or 443. There might be an SSL log in the logs folder that narrows this down for you.

It just occured to me to run #watch -n 1.0 "netstat -ano | grep -v unix | grep ESTABLISHED | grep \:443" to check the ssl connections and look at the screenshot!!!

http://www.screencast.com/t/9au6GFc1

Now I just need to figure out which site(s) they are trying to hit on the server.