Debugging Apache 408 “Request Timeout” Errors with Empty Request Headers and User Agents


2 views

When analyzing Apache server logs, you might encounter puzzling entries like this:

www.example.com:80 10.240.1.8 - - [06/Mar/2013:00:39:19 +0000] \"-\" 408 0 \"-\" \"-\" -

These logs show HTTP 408 (Request Timeout) errors with:

  • No HTTP method or request URI (shown as "-")
  • No User-Agent string
  • No Referrer information
  • 0 bytes transferred

From my experience troubleshooting web servers, these typically originate from:

1. Network scanners probing server vulnerabilities
2. Health checks from load balancers or monitoring systems
3. Malformed TCP connections that never complete the HTTP handshake
4. Mobile devices losing network connectivity mid-request
5. TCP SYN packets that don't complete the three-way handshake

To identify the source of these requests, try these approaches:

# Check recent 408 errors with awk
awk '$9 == 408 {print $1,$6,$7}' /var/log/apache2/access.log | sort | uniq -c | sort -n

# Monitor real-time connections
sudo tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn) != 0 and tcp[tcpflags] & (tcp-ack) == 0'

# Check Apache's mod_status output
curl http://localhost/server-status?auto | grep -i timeout

Here are some Apache configuration tweaks to handle these cases:

# In httpd.conf or virtual host configuration
Timeout 30  # Default is 60, reduce for quicker cleanup
KeepAliveTimeout 5  # Close idle connections faster

<IfModule mod_reqtimeout.c>
    RequestReadTimeout header=20-40,MinRate=500 body=20-40,MinRate=500
</IfModule>

# For load balancer health checks, add specific handling
<Location "/healthcheck">
    SetHandler server-status
    Require ip 10.240.1.0/24
</Location>

For security-focused environments, consider these measures:

# Custom LogFormat to exclude 408 errors from main logs
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
CustomLog /var/log/apache2/access.log combined env=!dontlog

SetEnvIf Request_URI "^$" dontlog
SetEnvIf Status 408 dontlog

# Or use conditional logging with mod_rewrite
RewriteEngine On
RewriteCond %{REQUEST_URI} ^-$
RewriteRule .* - [E=dontlog:1]

Create a monitoring solution to track these events:

#!/bin/bash
# Monitor 408 error rate
error_count=$(tail -1000 /var/log/apache2/access.log | awk '$9 == 408' | wc -l)

if [ $error_count -gt 10 ]; then
    echo "High 408 error rate detected: $error_count" | mail -s "Apache Alert" admin@example.com
fi

While these empty requests might seem harmless, they can impact server performance:

  • Each incomplete connection consumes kernel resources
  • Apache child processes may be tied up waiting
  • High volumes can lead to connection queue saturation

Consider implementing rate limiting for repeated connections from single IPs:

# Using mod_evasive
<IfModule mod_evasive20.c>
    DOSHashTableSize 3097
    DOSPageCount 2
    DOSSiteCount 50
    DOSPageInterval 1
    DOSSiteInterval 1
    DOSBlockingPeriod 60
</IfModule>

When examining Apache server logs, you might encounter entries like this:

www.example.com:80 10.240.1.8 - - [06/Mar/2013:00:39:19 +0000] \"-\" 408 0 \"-\" \"-\" -

These puzzling log entries show HTTP 408 (Request Timeout) errors with no request method, URI, or user agent information. This typically indicates that the client initiated a TCP connection but failed to complete the HTTP request within Apache's timeout period.

Several scenarios can produce these log entries:

  • Network scanning tools probing your server
  • Misconfigured load balancers or health checks
  • Buggy client applications failing mid-request
  • Malicious bots testing server vulnerabilities
  • Network connectivity issues interrupting requests

To investigate further, you can modify your Apache logging format to capture more details. Add this to your httpd.conf or virtual host configuration:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O %D" detailed
CustomLog /var/log/apache2/access_detailed.log detailed

This enhanced logging will track:

  • Bytes received (%I)
  • Bytes sent (%O)
  • Time taken in microseconds (%D)

If these errors are causing performance issues, consider these approaches:

# Increase timeout for specific clients (if needed)
TimeOut 60

# Filter out known scanner IPs
<Location />
    Order allow,deny
    Deny from 10.240.1.8
    Allow from all
</Location>

# Implement mod_evasive for DDoS protection
<IfModule mod_evasive20.c>
    DOSHashTableSize 3097
    DOSPageCount 2
    DOSSiteCount 50
    DOSPageInterval 1
    DOSSiteInterval 1
    DOSBlockingPeriod 10
</IfModule>

Create a monitoring script to analyze these errors:

#!/bin/bash
# Analyze Apache 408 errors
LOG_FILE="/var/log/apache2/access.log"
ERROR_FILE="/tmp/408_analysis.txt"

echo "Top IPs causing 408 errors:" > $ERROR_FILE
grep ' 408 ' $LOG_FILE | awk '{print $2}' | sort | uniq -c | sort -nr >> $ERROR_FILE

echo -e "\nTimestamps distribution:" >> $ERROR_FILE
grep ' 408 ' $LOG_FILE | awk '{print $4}' | cut -d: -f1-2 | uniq -c >> $ERROR_FILE

# Send email alert if threshold exceeded
ERROR_COUNT=$(grep -c ' 408 ' $LOG_FILE)
if [ $ERROR_COUNT -gt 100 ]; then
    mail -s "High 408 Errors Detected" admin@example.com < $ERROR_FILE
fi

While occasional 408 errors are normal, you should investigate if you see:

  • Sudden spikes in 408 errors
  • Patterns from specific IP ranges
  • Correlation with performance issues
  • Errors concentrated during specific time periods