2

I'm getting hundreds of entries in my access log with invalid requests like this ...

217.23.114.224|-|15/Dec/2010:08:17:19 +0000|-|-|-|400|0|-|-
217.23.114.224|-|15/Dec/2010:08:17:19 +0000|-|-|-|400|0|-|-
217.23.114.224|-|15/Dec/2010:08:17:20 +0000|-|-|-|400|0|-|-
217.23.114.224|-|15/Dec/2010:08:17:20 +0000|-|-|-|400|0|-|-
217.23.114.224|-|15/Dec/2010:08:17:20 +0000|-|-|-|400|0|-|-
217.23.114.224|-|15/Dec/2010:08:17:20 +0000|-|-|-|400|0|-|-

My log file format is 

'$remote_addr|$cookie__ourcookie|$time_local|$request|$content_length|$content_type|$status|$body_bytes_sent|$upstream_addr|$upstream_response_time';


The IP address varies and some of them are valid user IP addresses (not sure about the others). They often appear in the middle of a valid set of requests and then stop.

Anyone got an idea why I'd be getting floods of seemingly invalid requests coming in?

I don't think this can be explained just by saying that it's a hack attempt (though some of it could be) - is there any additional debug setting for NGINX?

Thanks

Chris

Chris McCauley
  • 562

2 Answers2

1

This is part of running a server that's open to anonymous requests from the Internet. It looks like some client is attempting a connection, then immediately dropping it. I expect that it's a drone attempting to see what web server you're running... and to exploit you, if possible. Good thing you're running nginx ;)

incredimike
  • 330
-1

Your problem may be that your Nginx large_client_header_buffers need to be increased per this dicussion.

Alternatively, your problem may be simply web browsers opening an HTTP connection and then closing it without using it, or is using Keep-Alive and reaches the timeout. In this case it's not a problem that the users are ever seeing, but just Nginx reporting an error.

Community
  • 1
Phrogz
  • 564