Apache reply with 408 timeout instead of 403

by herkil   Last Updated July 12, 2019 13:00 PM - source

Reading the access log of apache of one of our server I've found that some ips connecting to it receive a "408 Timeout" response instead of "403 Unauthorized".

This is one line of the access log:

[Remote IP] - - [12/Jul/2019:12:00:00 +0000] "-" 408 3272 "-" "-"

It seems that the request has some sort of body (3kB) but there is no method GET/POST specified. I already tried to connect to the server via telnet to port 443 to simulate the connection, but that sort of connection is not being logged, so I do not know what type of connection is nor the meaning of "-" in the header field.

Some details about the server:

  1. The apache server has multiple virtualhost, this is the default virtualhost which reply even to direct ip connection
  2. This virtualhost is reachable only via https
  3. Apache configuration block with 403 all connections without our certificate or when the remote IP is not within our local net (so this external IP should receive 403)
  4. Based on the very same access log, the rule works because apache blocks (and logs) some bots and some strangers with 403 response
  5. There are more connection of this type with different body size (most of them are 152, while another one is 3269)

I am pretty sure the client has not the right ssl certificate nor is inside our network.

I don't know if it is something malicious or just a strange port-scan happening, so what it could be?

Related Questions

Apache LocationMatch not matching

Updated October 02, 2017 15:00 PM