What are 408 Request Timeout Errors

What is a 408 Request Timeout Error

This error means the server timed out waiting for the client after the client has initiated a request. From the W3 HTTP specs: "The client did not produce a request within the time that the server was prepared to wait. The client may repeat the request without modifications at any later time." Also see RFC2616.

Are 408 Request Timeout Errors a Problem?

Not necessarily, and 408 errors may not be indicative of a larger issue. In many cases 408 errors are just connections that hold Apache open for longer than allowed based on the timeout settings in the web server's configuration files.

If Apache never enforced any timeout settings to close connections where the client has not communicated in a certain amount of time, then a single bad actor could flood the server with connections and not allow anyone else to connect.

In some cases these 408 errors come from systems looking for exploits. In recent years link previews and link prefetching have become popular and can also cause 408 errors as the services that implement such link previews (think Slack, social media sites, etc.) do not respect the standards and may leave server connections hanging after receiving the data they need (frequently the og-image, title, and description for the link preview). And link prefetching may just make the initial connection request prior to the user actually clicking the link, so a connection will be initiated on the server side which is left to die on the server side if the user never actually clicks the pre-fetched link.

Required reading about such problems with Google Chrome's prefetch implementation:

• How Chrome's pre-connect breaks HaProxy (and HTTP)
• HAProxy and HTTP Errors 408 in Chrome - HAProxy Technologies
• 377581 - Chromium does not handle 408 responses - chromium

Related Apache Configuration Settings:

KeepAliveTimeout Timeout

Related Apache Modules:

mod_reqtimeout - Apache HTTP Server Version 2.4

Related Attacks:

Slow Loris - if client connections are not timed out after a reasonable interval, an attacker can attempt to max out connection slots to the web server. Duck Duck Go for more info and ways to mitigate, and how to scan log files to identify possible attackers by IP address.

Sources and Related Resources

• 'http-status-code-408' tag wiki - Stack Overflow
  • RFC 2616 - Hypertext Transfer Protocol -- HTTP/1.1
  • apache 2.2 - Getting 408 errors on our logs with no request or user agent - Server Fault
    • Timeout and Keep Alive in Apache
    • Apache Performance Tuning for Linux - OLinux
    • Apache Performance Tuning - Apache HTTP Server Version 2.4
  • apache2 - Understanding “408 Request Timeout” on Apache with PHP - Stack Overflow
    • apache 2.2 - too many 408 error codes in access log - Server Fault

and

• mod_reqtimeout - Apache HTTP Server Version 2.4
• access_log - what is 408??? | cPanel Forums
• Reverse Proxy Intermittant 408 Time Out Errors - Forum - Hiawatha webserver
  • 377581 - Chromium does not handle 408 responses - chromium
• apache2 - A lot of 408 errors in apache logs - how to prevent them? - Webmasters Stack Exchange
  • apache 2.2 - too many 408 error codes in access log - Server Fault
    • apache 2.2 - How can I detect Slowloris? - Server Fault
  • Quite a few 408 errors in Apache log - DoS ? | Linode Questions
• apache 2.2 - Getting 408 errors on our logs with no request or user agent - Server Fault
• apache2 - Understanding “408 Request Timeout” on Apache with PHP - Stack Overflow
  • How Chrome's pre-connect breaks HaProxy (and HTTP)
    • HAProxy and HTTP Errors 408 in Chrome - HAProxy Technologies