What is a 408 Request Timeout Error
This error means the server timed out waiting for the client after the client has initiated a request. From the W3 HTTP specs: "The client did not produce a request within the time that the server was prepared to wait. The client may repeat the request without modifications at any later time." Also see RFC2616.
Are 408 Request Timeout Errors a Problem?
Not necessarily, and 408 errors may not be indicative of a larger issue. In many cases 408 errors are just connections that hold Apache open for longer than allowed based on the timeout settings in the web server's configuration files.
If Apache never enforced any timeout settings to close connections where the client has not communicated in a certain amount of time, then a single bad actor could flood the server with connections and not allow anyone else to connect.
In some cases these 408 errors come from systems looking for exploits. In recent years link previews and link prefetching have become popular and can also cause 408 errors as the services that implement such link previews (think Slack, social media sites, etc.) do not respect the standards and may leave server connections hanging after receiving the data they need (frequently the og-image, title, and description for the link preview). And link prefetching may just make the initial connection request prior to the user actually clicking the link, so a connection will be initiated on the server side which is left to die on the server side if the user never actually clicks the pre-fetched link.
Required reading about such problems with Google Chrome's prefetch implementation:
- How Chrome's pre-connect breaks HaProxy (and HTTP)
- HAProxy and HTTP Errors 408 in Chrome - HAProxy Technologies
- 377581 - Chromium does not handle 408 responses - chromium
Related Apache Configuration Settings:
KeepAliveTimeout
Timeout
Related Apache Modules:
mod_reqtimeout - Apache HTTP Server Version 2.4
Related Attacks:
Slow Loris - if client connections are not timed out after a reasonable interval, an attacker can attempt to max out connection slots to the web server. Duck Duck Go for more info and ways to mitigate, and how to scan log files to identify possible attackers by IP address.
Sources and Related Resources
- 'http-status-code-408' tag wiki - Stack Overflow
and
- mod_reqtimeout - Apache HTTP Server Version 2.4
- access_log - what is 408??? | cPanel Forums
- Reverse Proxy Intermittant 408 Time Out Errors - Forum - Hiawatha webserver
- apache2 - A lot of 408 errors in apache logs - how to prevent them? - Webmasters Stack Exchange
- apache 2.2 - Getting 408 errors on our logs with no request or user agent - Server Fault
- apache2 - Understanding “408 Request Timeout” on Apache with PHP - Stack Overflow