New type of DOS?

2025-04-02

One of my servers receives a barrage of attacks from a single IP about once per day. (See excerpt from logs below). It seems that they are using http to hit the server and the server sends a "408" error code.

vi /usr/local/apache/logs/access_log
-----------------
61.129.81.37 - - [24/Oct/2002:16:58:29 -0400] "-" 408 -
61.129.81.37 - - [24/Oct/2002:16:58:29 -0400] "-" 408 -
61.129.81.37 - - [24/Oct/2002:16:58:29 -0400] "-" 408 -
61.129.81.37 - - [24/Oct/2002:16:58:30 -0400] "-" 408 -
61.129.81.37 - - [24/Oct/2002:16:58:30 -0400] "-" 408 -
61.129.81.37 - - [24/Oct/2002:16:58:30 -0400] "-" 408 -
61.129.81.37 - - [24/Oct/2002:16:58:30 -0400] "-" 408 -
61.129.81.37 - - [24/Oct/2002:16:58:30 -0400] "-" 408 -
61.129.81.37 - - [24/Oct/2002:16:58:31 -0400] "-" 408 -
61.129.81.37 - - [24/Oct/2002:16:58:31 -0400] "-" 408 -
61.129.81.37 - - [24/Oct/2002:16:58:31 -0400] "-" 408 -
61.129.81.37 - - [24/Oct/2002:16:58:31 -0400] "-" 408 -
61.129.81.37 - - [24/Oct/2002:16:58:31 -0400] "-" 408 -
61.129.81.37 - - [24/Oct/2002:16:58:31 -0400] "-" 408 -
61.129.81.37 - - [24/Oct/2002:16:58:32 -0400] "-" 408 -
-----------------

This causes hundreds of HTTP processes to be spurned and the server bogs down and the load average goes up.

I know how to block this once I find it by doing a "null route". However, I dont even know what the hell this is? How is this ******* causing a "408" error? What is a 408 error?

I've noticed a steady increase in this type of attack. If anyone has any info, please let me know. If I have more info, maybe I can defeat this loser.