Web server: Nginx.
Checking our log files, there are many log entries of connections that:
- take 59-61 seconds
- send an empty request (or at least none is logged)
- result in a 408 response (request timed out)
- do not contain any http_user_agent
- originate from a limited number of IPs
We are monitoring average times to serve responses and this obviously inflates our statistics. Apart from that though, is this a problem? Any idea why it is occurring? Does it suggest that somebody is intentionally messing with us? What should we do?
It could be a slowloris attack:
See: https://en.wikipedia.org/wiki/Slowloris_(computer_security) and http://ha.ckers.org/slowloris/
I cause these sometimes when using my phone on the train. I go through a low-signal area or a tunnel at just the right time (in between the TCP handshake and the request being sent) and that's what happens.
Phone carriers often put all their customers behind NAT so lots of users can come from a small number of IP addresses.
Do some more analysis:
Depending on the answers to those questions, it might be benign or it might be deliberately malicious. Either way, lowering the timeout might be a good idea. Even on a phone, no one waits for 60 seconds before making the request again.