DoSed with 408 (timeout) errors.

jols

Well-Known Member
Mar 13, 2004
1,110
3
168
We are seeing tons of 408 timeouts coming from particular sets of IPs, e.g. stuff like this in the apache log:

207.58.169.218 - - [15/Nov/2006:17:12:19 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:12:32 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:14:21 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:14:45 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:15:00 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:16:31 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:16:48 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:16:53 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:18:55 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:18:58 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:19:02 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:21:45 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:21:49 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:21:53 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:23:53 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:24:07 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:24:29 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:26:31 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:26:34 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:26:38 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:29:57 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:30:33 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:33:59 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:34:01 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:34:01 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:37:11 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:37:15 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:38:03 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:39:55 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:40:21 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:40:21 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:43:20 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:44:17 -0600] "-" 408 -
207.58.169.218 - - [15/Nov/2006:17:44:18 -0600] "-" 408 -

This is starting to impact performance in a big way. We've got chirpy's fireall and also mod_evasive installed, but so far the only solution is to sit here and manually block IPs all day long.

I've also taken the httpd.conf timout numer down to 5 seconds, and it does not seem to matter if persistant connections is enabled or not.

Suggestions?

Is there a solution for this?
 

jols

Well-Known Member
Mar 13, 2004
1,110
3
168
DoSed with 408 (time outs). Is there a BFD script for this?

I guss what I need here is something like BFD, except rather than triggering a block with too many failed accesses, it triggers a block with too many 408 timeouts.

I can't really use any kind of anti-DoS stuff here because there are not enough concurrent accesses that it "looks" like a DoS attack. Nevertheless the Apache connections are apparently held open until the time out occurs, thus keeping CPU use constantly high. So what I would like to do is limit the number of times that any IP can garner a 408 error within x period of time. Anyone hear of something like this?

Thanks very much for any response.