Re: HTTP 408 errors

[Markus Stumpf <maex-lists-security-incidents () Space Net>]

On Sun, Feb 03, 2002 at 10:53:40PM -0700, Thomas Frerichs wrote:
> I'm getting some unusual Apache 1.3.22 log entries in my access_log. I've
> included a semi-sanitized version below. The actual IP differs by a few in
> the last quad.
>
> I know the 408 error code is Request Time Out, but...

We'd seen a lot of them when we drastically reduced the (IMHO default?)
    Timeout                 300
to
    Timeout                 10
due to CodeRed and Nimda attacks to faster close hanging connections 
resulting of these attacks.
This "short" Timeout affected "legitimate" connections of user via
slow uplinks as well. You may check your TimeOut setting in the apache
config file and raise it to see if the messages go away.

You may also probe the IPs with the 308 errors. connect to them port 80
and try a
    HEAD / HTTP/1.0
    \n
If it's a MS IIS the errors could result of filtered CodeRed/Nimda attacks
(as others already mentioned).

        \Maex

-- 
SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
 proportional to the amount of vacuity between the ears of the admin"

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com