Got an apache log entry that looks like this, actually I have a bunch of them spread out over time.
XXX.XXX.XXX.XXX - - [27/Apr/2012:14:39:52 -0500] "-" 408 - "-" "-"
It wasn't a GET or POST, the method was "-".
Anyone else seen requests like this? It wasn't from the penetration tester, but I have it from LOTS of other IPs from Apr of 2012 up until and including today.
We failed it with a 408, just wondering what someone might be trying and googling for minus sign does NOT work.
408 is Request Timeout. This means that the client connected but didn't actually send any data for a while, and the server gave up and dropped the connection with this error. This is also why nothing else was logged; no data was actually sent from the client.
Apache's default timeout in this case is 300 seconds (5 minutes); it is configurable, but this generally shouldn't need to be changed.
It means that Apache doesn't know what the request method is. In this case it was caused by a timeout (i.e. the client never sent a request). It's also common with 400 Bad Request responses where the client sends an invalid request (such as trying to speak TLS to a non-TLS port and vice versa), or closes the TCP connection as soon as it is establised without sending anything (such as monitoring services performing a TCP connection check).
Could be caused by slowloris or similiar attacks. The idea is to open as many connection as possible as long as possible.
Timeoutis by default 300 seconds in Apache.If you use a preforking server it's easy to reach
MaxClientsand make the website unaccessible. If the Apache is misconfigured lots of forked processing can cause excessive swapping and kill the machine or slowing it down to a crawl.mpm_eventor a good configuredmpm_workershould be harder targets for slowloris. Other mitigations are reducingTimeoutto a lower value. I guess it depends on your clients. You probably don't want to kill dail-up users with a time too low timeout. 5 minutes on the other hand is probably too much.