Posted 2021-02-05 with tags HTTP, web servers, Apache, HTTP 408

What is a 408 Request Timeout Error

This error means the server timed out waiting for the client after the client has initiated a request. From the W3 HTTP specs: "The client did not produce a request within the time that the server was prepared to wait. The client may repeat the request without modifications at any later time." Also see RFC2616.

Are 408 Request Timeout Errors a Problem?

Not necessarily, and 408 errors may not be indicative of a larger issue. In many cases 408 errors are just connections that hold Apache open for longer than allowed based on the timeout settings in the web server's configuration files.

If Apache never enforced any timeout settings to close connections where the client has not communicated in a certain amount of time, then a single bad actor could flood the server with connections and not allow anyone else to connect.

In some cases these 408 errors come from systems looking for exploits. In recent years link previews and link prefetching have become popular and can also cause 408 errors as the services that implement such link previews (think Slack, social media sites, etc.) do not respect the standards and may leave server connections hanging after receiving the data they need (frequently the og-image, title, and description for the link preview). And link prefetching may just make the initial connection request prior to the user actually clicking the link, so a connection will be initiated on the server side which is left to die on the server side if the user never actually clicks the pre-fetched link.

Required reading about such problems with Google Chrome's prefetch implementation:

Related Apache Configuration Settings:

KeepAliveTimeout Timeout

Related Apache Modules:

mod_reqtimeout - Apache HTTP Server Version 2.4

Related Attacks:

Slow Loris - if client connections are not timed out after a reasonable interval, an attacker can attempt to max out connection slots to the web server. Duck Duck Go for more info and ways to mitigate, and how to scan log files to identify possible attackers by IP address.

Sources and Related Resources

and