Re: [mod-security-users] anyone saw this dos-ish attack + how to block

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Fri, Jun 24, 2005 at 03:23:59PM -0700, Hugh Beaumont wrote:
> I've been getting a lot of lines like this in my logs:
> 
> - 200.39.103.224 - - [24/Jun/2005:02:45:22 -0400] "-" 408 - "-" "-"
> - 148.244.150.58 - - [24/Jun/2005:02:45:23 -0400] "-" 408 - "-" "-"
> - 148.244.150.58 - - [24/Jun/2005:02:45:31 -0400] "-" 408 - "-" "-"
> - 168.212.79.8 - - [24/Jun/2005:02:45:58 -0400] "-" 408 - "-" "-"
> 
> Anyone know a quick mod_security method to block these. I hate to just
> ask without any
> research on my part but its causing some big problems on this
> particular server so I thought I
> would fire off a quick message in case anyone has saw this before and
> has a solution.

status code 408 is a request timeout.  The log entries above don't look
like a DOS attack, but rather the symptom of another problem with your
web server.  Perhaps the the server is overloaded?  You have some poorly
written script that makes the server work too hard ?  Just guesses, but
that's where I'd start looking.

-troy