Security Incidents mailing list archives
Re: HTTP 408 errors
From: Markus Stumpf <maex-lists-security-incidents () Space Net>
Date: Wed, 6 Feb 2002 15:32:49 +0100
On Sun, Feb 03, 2002 at 10:53:40PM -0700, Thomas Frerichs wrote:
I'm getting some unusual Apache 1.3.22 log entries in my access_log. I've included a semi-sanitized version below. The actual IP differs by a few in the last quad. I know the 408 error code is Request Time Out, but...
We'd seen a lot of them when we drastically reduced the (IMHO default?) Timeout 300 to Timeout 10 due to CodeRed and Nimda attacks to faster close hanging connections resulting of these attacks. This "short" Timeout affected "legitimate" connections of user via slow uplinks as well. You may check your TimeOut setting in the apache config file and raise it to see if the messages go away. You may also probe the IPs with the 308 errors. connect to them port 80 and try a HEAD / HTTP/1.0 \n If it's a MS IIS the errors could result of filtered CodeRed/Nimda attacks (as others already mentioned). \Maex -- SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0 Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299 "The security, stability and reliability of a computer system is reciprocally proportional to the amount of vacuity between the ears of the admin" ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- HTTP 408 errors Thomas Frerichs (Feb 04)
- RE: HTTP 408 errors Chip McClure (Feb 04)
- Re: HTTP 408 errors James Golovich (Feb 04)
- Re: HTTP 408 errors Markus Stumpf (Feb 06)