### On Wed, 19 Sep 2001 00:20:19 +0200, "Karsten W. Rohrbach"
### <karsten@rohrbach.de> casually decided to expound upon
### mike@biggorilla.com the following thoughts about "Re: Pattern matching
### odd HTTP request":
mike@biggorilla.com(mike@biggorilla.com)@2001.09.18 17:03:44 +0000:
[...]
> Doesn't seem new...
>=20
> 195.188.192.18 - - [13/Sep/1999:02:23:43 -0500] "-" 408 - "-" "-"
> 195.188.192.18 - - [14/Sep/1999:02:18:54 -0500] "-" 408 - "-" "-"
>=20
> But just a little more increased.--- rfc2616 - http 1.1:
10.4.9 408 Request TimeoutThe client did not produce a request within the time that the server
was prepared to wait. The client MAY repeat the request without
modifications at any later time.
---take care,
Yes... but when you're seeing this:
...
208.178.31.134 - - [18/Sep/2001:15:22:21 -0700] "-" 408 -
208.178.176.105 - - [18/Sep/2001:15:22:23 -0700] "-" 408 -
208.178.47.36 - - [18/Sep/2001:15:23:19 -0700] "-" 408 -
208.178.144.36 - - [18/Sep/2001:15:23:30 -0700] "-" 408 -
208.178.120.13 - - [18/Sep/2001:15:23:37 -0700] "-" 408 -
208.178.31.138 - - [18/Sep/2001:15:23:42 -0700] "-" 408 -
208.35.212.156 - - [18/Sep/2001:15:23:49 -0700] "-" 408 -
208.178.176.105 - - [18/Sep/2001:15:23:49 -0700] "-" 408 -
208.178.176.105 - - [18/Sep/2001:15:23:49 -0700] "-" 408 -
208.178.31.134 - - [18/Sep/2001:15:23:51 -0700] "-" 408 -
208.178.176.105 - - [18/Sep/2001:15:23:52 -0700] "-" 408 -
208.178.47.36 - - [18/Sep/2001:15:24:49 -0700] "-" 408 -
208.178.144.36 - - [18/Sep/2001:15:25:00 -0700] "-" 408 -
208.178.120.13 - - [18/Sep/2001:15:25:07 -0700] "-" 408 -
208.178.31.138 - - [18/Sep/2001:15:25:12 -0700] "-" 408 -
208.178.176.105 - - [18/Sep/2001:15:25:18 -0700] "-" 408 -
208.178.176.105 - - [18/Sep/2001:15:25:19 -0700] "-" 408 -
208.35.212.156 - - [18/Sep/2001:15:25:20 -0700] "-" 408 -
208.178.31.134 - - [18/Sep/2001:15:25:22 -0700] "-" 408 -
208.178.176.105 - - [18/Sep/2001:15:25:23 -0700] "-" 408 -
208.178.47.36 - - [18/Sep/2001:15:26:19 -0700] "-" 408 -
208.178.120.13 - - [18/Sep/2001:15:26:37 -0700] "-" 408 -
...
You start to suspect a DDOS port-flood attack. It's certainly causing me to
spawn a lot of httpds and occupying a lot of ports.