what kind of attack is this

Question

Im developing a website on test server and so when debugging some stuff I had to look in access log, this is a small chunk of what I saw:

37.99.49.203 - - [13/May/2019:17:51:34 +0200] "H\x1E\xF3qxZ\xA8[\x13\x87\x94\xB8Yc\x85\xC9\xA0?\x8B\x95\xCE\x9E\x97vR\x151\xFF2\x8ABaM2p\x81PJ\x12r~A\xB8\xFA\x90lq\x8F\x03q\x09M\x8A\xD1\xE0R\xE2m\xF5\xC2\xD8\xE5\xDA\x14\xE0\xA5\xE2:\xD5@K8\xBD/\xF6\x92" 400 150 "-" "-" "-"
[...]
37.99.49.203 - - [13/May/2019:19:11:42 +0200] "W>\xFFM,C\xD2\x828i\xF1\xEF\xEC\x801j\xAD\xDC\x85\xED\xEA\x1B1M\xDF\xA1\xA8\x92\xAC\xD1\x02#\xA9]\x87Gv\x1BV\xE7Q\xCA\xBE\x1CJ\xCD\x11\x1A\x19\xB7\x0B\x16\xEEk5\xD9\x12\xA5\x16\x84\x18m\xD4~i\xD6_JBEs\xA1@\x04\xF2;\xB8\xCDR!\x5C\x09\xB2\xB8\xD3\xB8\x9D\x9D69\xB8\x12\x0C\x14k\x14\xA4\xD4\xDC\xA9\x87\xDB\xAC\x1F>$%l\xF6\xF6t\xE8T\xE8\x87h\xC9\x97* Kh\xD3\x97DV\xB5|\x19\x8Bd\xE2\x8F\xF0\xAB\x09\xB4\x9E\xDDL\x84\xDDT=\xAF\x9C}\x8F\xF2O\xFA0K3F\xF6\xCA1\xF2\x89w\xE5\x9E\x95fV\x06\xF9^\x7F\x9B\x15)b\x80C \xE1\x09\xBB\xAE\xF7[\x8A\xE5\x22\xE3\xA2\x83\xBF\xE0*>[\x81H\xA1\x140{\x18f\xCEV\xB1<\x17\xBE\x12\xD7uh\xB5V\xF1\xCD5\xC0\xF5V%\xB7" 400 150 "-" "-" "-"
37.99.49.203 - - [13/May/2019:19:11:42 +0200] "ap\x1F\xA1h\x84\xE19B)\xA0\x0C\xB8\xAE\xA5o_ip\x98\xCF\xC0\xF8J\xA7\x94\xD86%\xA1\x22\xF9g{\xB9\x85\xFC\x0F\x85RV\xEF\xF9\x82A\xFCv \x81>|\xC8\x13\x22\xF2R%\xE9\xDD2Q\x95n\xCDQ\xDD\x1E\x04\xF1\x1Do\x09\xF4a.\xBB\xD4\xEA@-\xB6\xDB\xAB\xDC+;]T\xE1\xF7f\x8B\xA1\xDD\xAB\xDB&\x94ii]\x04\xF2\xCB\xC8\xAA:\xED\xE2\xB7A:9{\xDASG^*\x08\xD2\x03\x1A\xA8" 400 150 "-" "-" "-"
37.99.49.203 - - [13/May/2019:19:11:42 +0200] "!\xBC\xA0F\xC1\xDA\xF0\xF5mfM\xBA\xCF\x16" 400 150 "-" "-" "-"
37.99.49.203 - - [13/May/2019:19:11:46 +0200] "G\xFA\xE9\x153\x04\xF7Q0\xC0\x91\x83\xBC\xCC\xACgV_\xE2\x84\xE5nAe\x02ZGH\x1A\x8Bn\xF5j\x14\x81nM\xFA\x9C\xE6\xF1\xD7\x1D\x8C\xB9\xDE\xDE\x8FT\x81\x07\xE6\xFC\xD2\x12F\x1DXJu\xEA\xE3\x1D\x9A\xCE\x0FmL\x81\x93IN\xD3\xD8!\x16\xB532\xC6\x91%4\x00\x83\x1F<\x0C\x92\xC2\x22%\x00\xFF[\xA2O\x0E\x9F\xBC\xB8\x87P\xE9Pz\x13\xB2\xF1\xA0\xB8@\x88\xEC\xD3O\xAE\xDE\xC0\xCA\xED\x12_TE\x0BU\xCBp\x22n\xA6\x16\xD0\x89dc\x03\xCEJZ\xF3\xBDnX\xD0h[\x96%\x9C\xB3\xB2n8~\xE6Sn\x99\x983\x0B+K\xF1\x06\x1D\x8B\x9AV" 400 150 "-" "-" "-"
37.99.49.203 - - [13/May/2019:19:11:58 +0200] "8@\x82\xBA\xFC\x1C\xDA$l\xA9p\x9F1\xB5p\x002\xDB\xEF\xF9\xAD\xCCn\xD4\xF2\x9E\xE27\xB6\x1E\x1C\xAC\xF6\x06\xEBQN\xDA\x19\xB4\x81Y\xA6\xA9$\xF1\xDEJ\xED\xB3\xF4A*\x1B1\xC0\xE2\x22p\xAB\x83}j\x9Ed\xFBg\xCBF\x0E\xED\x15(2\x86X\xFE" 400 150 "-" "-" "-"
37.99.49.203 - - [13/May/2019:19:12:02 +0200] "L" 400 150 "-" "-" "-"
37.99.49.203 - - [13/May/2019:19:12:06 +0200] "q\xEE5\xA1\x12\x9B\x80\x85\x19\xB3\xC2\xFF\x19Ej\xE3K\x9B\xCBY\xEE\xF6\x92{\xBE[k\xA3\x8C\xF2\x05\x8C\x11\xCA\x09\x9BU\x8E\xFF\xE2\x8D.\x08\xC2~L\x1E\x9F\x97q\x9CM69\xCB\xA3\x91MOe\x10]\x81\xE4\x83<\xF6" 400 150 "-" "-" "-"
37.99.49.203 - - [13/May/2019:19:12:06 +0200] "\x0F?c\x1B\x032*\xB5\xFB'\xB0\xB5\xF0X\xB3\x1Dc\xBE\x02\x06e4\x82x\x09>F\xC5W\xCB\xF1s\xD5w\xA3\x1B\xB5\xFB\x1D\x8A\xD3\xE4\x0F\xE8\xB0\xFC\xEE\x98\xFBM\xFC\xCB\xB09\xB4\x8B\xA1e\x8D\xA7\xD4\x95\xE5\xF9\x1D\xAE\xD6J\xCFP2Z\xBC\xC8Z4\x90\xDA\xDA\x08V$\x1A$\x8D7L\x1Eo\xCA\x0Fa\x0F\xF3\x94\xF8\x5Cf\xB4\x83\x11\xB7\x1B\x94\x9F\xD3\xD7\xFB\x84C\x0F\xCF'\xF7\xD9\x03\xE5\x8C\x12\x0F\xB7\x15S=\x80\x98\xC4\xC4\x95,\xEEV\xC1\xF1\xBDj\xE6\x8F\x06X\xE7LO[0\x00f\x0C\x0E\xA6C\xEBH\x9C\xFE.\xB8\xDE7\x0B\xBF=\x9BVC\xA3n>;J0\x10\x15>\xA0\x8E\xB1^m\x9E\xE3\xD4Wkf\xB9\xB681\xDF\xD5\xA7~\xD9\xD9%\x84cNX_\xAB!T\xF6`\xB6A\xE5\xB9\x14\x98\xE9\xD1\xD9\xCB\x0E\x0E\xDBb\x1Do\x190\x0B" 400 150 "-" "-" "-"
37.99.49.203 - - [13/May/2019:19:12:08 +0200] "\x1F\xAE\xAD$\xE1\xD1\xBC\xF6\x8D\x04,Y\xBC\x08[Vd\xB3\xC9\xC9\x09<r\xC7\xA9O^\x9Ddq\xA3g\xB7\x095\xCDA\xDB<GsI\x1CZT!\x1FT\xEB\xB43" 400 150 "-" "-" "-"
[...]
37.99.49.203 - - [13/May/2019:19:18:14 +0200] "\xAE2\xDFwn\xC3\x04\xC1\xF1\xCF\xCEN\xB4A\xE6\xFD\xE6\x93\x9D(\x14\x97\xBB\x5C\xAE:bI4\x1AIiaD\xF4\xEA\x16\x86J\xB8A\x8Ea\x10\x9F\x07\x86d>\xDF\xAF\xC5R\xDF\xDA\x87\xF0\xFF\xD7\x927\x9A8\x04\xEF\xA2|\xD4?_m\xCD\xFB\xAB\xC4" 400 150 "-" "-" "-"

During past hour this bot managed to make approximately 1800 requests to my HTTP server. It's obviously malicious.

It also seems really persistent too because when I turned off my nginx server for a few minutes in order to make some configuration changes it came back and continued this behaviour.

I don't think it's denial of service attack of any kind as requests are too slow (for the most part he didnt even trigger rate limiting restrictions).

Request bodies seem like UTF8 literals but I don't think this is it.

Even though I block all HTTP requests that are not GET/POST/HEAD and I also block certain countries like his country of origin, he gets 400 bad request response because his requests are gibberish and don't specify request method.

Can anyone, please, explain to me why is this happening? What is this bot trying to achieve? Im going to block him in my firewall in a minute but I wanted to know what kind of anomaly is this because I've never seen this before.