The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DoSed with 408 (timeout) errors.

Discussion in 'General Discussion' started by jols, Nov 15, 2006.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    We are seeing tons of 408 timeouts coming from particular sets of IPs, e.g. stuff like this in the apache log:

    207.58.169.218 - - [15/Nov/2006:17:12:19 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:12:32 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:14:21 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:14:45 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:15:00 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:16:31 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:16:48 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:16:53 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:18:55 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:18:58 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:19:02 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:21:45 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:21:49 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:21:53 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:23:53 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:24:07 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:24:29 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:26:31 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:26:34 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:26:38 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:29:57 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:30:33 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:33:59 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:34:01 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:34:01 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:37:11 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:37:15 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:38:03 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:39:55 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:40:21 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:40:21 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:43:20 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:44:17 -0600] "-" 408 -
    207.58.169.218 - - [15/Nov/2006:17:44:18 -0600] "-" 408 -

    This is starting to impact performance in a big way. We've got chirpy's fireall and also mod_evasive installed, but so far the only solution is to sit here and manually block IPs all day long.

    I've also taken the httpd.conf timout numer down to 5 seconds, and it does not seem to matter if persistant connections is enabled or not.

    Suggestions?

    Is there a solution for this?
     
  2. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    DoSed with 408 (time outs). Is there a BFD script for this?

    I guss what I need here is something like BFD, except rather than triggering a block with too many failed accesses, it triggers a block with too many 408 timeouts.

    I can't really use any kind of anti-DoS stuff here because there are not enough concurrent accesses that it "looks" like a DoS attack. Nevertheless the Apache connections are apparently held open until the time out occurs, thus keeping CPU use constantly high. So what I would like to do is limit the number of times that any IP can garner a 408 error within x period of time. Anyone hear of something like this?

    Thanks very much for any response.
     

Share This Page