Pleroma instance generating a lot of 408 errors on Web server
My Web server log is filling up with lines that look like this:
shiningpathbook.com:443 78.47.96.117 - - [11/Apr/2020:20:32:41 -0400] "GET / HTTP/1.1" 200 23284 "-" "Pleroma 2.0.50-367-gaae22ab6-develop; https://devs.live <admin@devs.live>" 576 27217 DE
files.northcoastsynthesis.com:443 78.47.96.117 - - [11/Apr/2020:20:33:00 -0400] "-" 408 - "-" "-" 396 3592 -
files.northcoastsynthesis.com:443 78.47.96.117 - - [11/Apr/2020:20:33:21 -0400] "-" 408 - "-" "-" 396 3592 -
files.northcoastsynthesis.com:443 78.47.96.117 - - [11/Apr/2020:20:33:41 -0400] "-" 408 - "-" "-" 396 3592 -
files.northcoastsynthesis.com:443 78.47.96.117 - - [11/Apr/2020:20:34:01 -0400] "-" 408 - "-" "-" 396 3592 -
files.northcoastsynthesis.com:443 78.47.96.117 - - [11/Apr/2020:20:34:22 -0400] "-" 408 - "-" "-" 396 3592 -
files.northcoastsynthesis.com:443 78.47.96.117 - - [11/Apr/2020:20:34:42 -0400] "-" 408 - "-" "-" 396 3592 -
files.northcoastsynthesis.com:443 78.47.96.117 - - [11/Apr/2020:20:35:02 -0400] "-" 408 - "-" "-" 396 3592 -
files.northcoastsynthesis.com:443 78.47.96.117 - - [11/Apr/2020:20:35:23 -0400] "-" 408 - "-" "-" 396 3592 -
files.northcoastsynthesis.com:443 78.47.96.117 - - [11/Apr/2020:20:35:43 -0400] "-" 408 - "-" "-" 396 3592 -
files.northcoastsynthesis.com:443 78.47.96.117 - - [11/Apr/2020:20:36:03 -0400] "-" 408 - "-" "-" 396 3592 -
files.northcoastsynthesis.com:443 78.47.96.117 - - [11/Apr/2020:20:36:24 -0400] "-" 408 - "-" "-" 396 3592 -
After the initial hit, it's a 408 error (client request timeout) every 20 seconds (or slightly more than 20 seconds) continuing apparently without limit. It's still in progress as of this writing, 14 hours later. The link https://shiningpathbook.com/ was posted on the federated network about a month ago and it looks like something in the Pleroma instance at devs.live tried to hit that link (maybe to get a share-image or summary) and then it has run out of control re-hitting my server without sending a well-formed request, every 20 seconds.
I saw a similar issue maybe a week or so ago. I no longer have the logs from that one and I'm not sure if it was the same instance, but the initial hit that time definitely mentioned some Pleroma instance. That time, I slapped a firewall rule on it to drop packets from the IP address in question, and once the rule had dropped three packets, the connection attempts ceased.
All this looks like a bug in Pleroma or in some Pleroma-associated piece of software, and although it's not really causing any serious problems for me, I'm reporting it in the hope you find the information useful.