### On Wed, 19 Sep 2001 00:20:19 +0200, "Karsten W. Rohrbach" ### <karsten@rohrbach.de> casually decided to expound upon ### mike@biggorilla.com the following thoughts about "Re: Pattern matching ### odd HTTP request": KWR> mike@biggorilla.com(mike@biggorilla.com)@2001.09.18 17:03:44 +0000: KWR> [...] KWR> > Doesn't seem new... KWR> >=20 KWR> > 195.188.192.18 - - [13/Sep/1999:02:23:43 -0500] "-" 408 - "-" "-" KWR> > 195.188.192.18 - - [14/Sep/1999:02:18:54 -0500] "-" 408 - "-" "-" KWR> >=20 KWR> > But just a little more increased. KWR> KWR> --- rfc2616 - http 1.1: KWR> 10.4.9 408 Request Timeout KWR> KWR> The client did not produce a request within the time that the server KWR> was prepared to wait. The client MAY repeat the request without KWR> modifications at any later time. KWR> --- KWR> KWR> take care, Yes... but when you're seeing this: ... 208.178.31.134 - - [18/Sep/2001:15:22:21 -0700] "-" 408 - 208.178.176.105 - - [18/Sep/2001:15:22:23 -0700] "-" 408 - 208.178.47.36 - - [18/Sep/2001:15:23:19 -0700] "-" 408 - 208.178.144.36 - - [18/Sep/2001:15:23:30 -0700] "-" 408 - 208.178.120.13 - - [18/Sep/2001:15:23:37 -0700] "-" 408 - 208.178.31.138 - - [18/Sep/2001:15:23:42 -0700] "-" 408 - 208.35.212.156 - - [18/Sep/2001:15:23:49 -0700] "-" 408 - 208.178.176.105 - - [18/Sep/2001:15:23:49 -0700] "-" 408 - 208.178.176.105 - - [18/Sep/2001:15:23:49 -0700] "-" 408 - 208.178.31.134 - - [18/Sep/2001:15:23:51 -0700] "-" 408 - 208.178.176.105 - - [18/Sep/2001:15:23:52 -0700] "-" 408 - 208.178.47.36 - - [18/Sep/2001:15:24:49 -0700] "-" 408 - 208.178.144.36 - - [18/Sep/2001:15:25:00 -0700] "-" 408 - 208.178.120.13 - - [18/Sep/2001:15:25:07 -0700] "-" 408 - 208.178.31.138 - - [18/Sep/2001:15:25:12 -0700] "-" 408 - 208.178.176.105 - - [18/Sep/2001:15:25:18 -0700] "-" 408 - 208.178.176.105 - - [18/Sep/2001:15:25:19 -0700] "-" 408 - 208.35.212.156 - - [18/Sep/2001:15:25:20 -0700] "-" 408 - 208.178.31.134 - - [18/Sep/2001:15:25:22 -0700] "-" 408 - 208.178.176.105 - - [18/Sep/2001:15:25:23 -0700] "-" 408 - 208.178.47.36 - - [18/Sep/2001:15:26:19 -0700] "-" 408 - 208.178.120.13 - - [18/Sep/2001:15:26:37 -0700] "-" 408 - ... You start to suspect a DDOS port-flood attack. It's certainly causing me to spawn a lot of httpds and occupying a lot of ports. -- /*====================[ Jake Khuon <khuon@GBLX.Net> ]======================+ | Chief Global Data Network Management Architect /~_ |_ () |3 /-\ |_ | | VOX: +1 (425) 391-2262 Fax: +1 (425) 391-6772 \_| C R O S S I N G | +=============[ 900 4th. Ave., Floor 12, Seattle, WA 98164 ]=============*/