2

I'm getting hundreds of entries in my access log with invalid requests like this ...

217.23.114.224|-|15/Dec/2010:08:17:19 +0000|-|-|-|400|0|-|-
217.23.114.224|-|15/Dec/2010:08:17:19 +0000|-|-|-|400|0|-|-
217.23.114.224|-|15/Dec/2010:08:17:20 +0000|-|-|-|400|0|-|-
217.23.114.224|-|15/Dec/2010:08:17:20 +0000|-|-|-|400|0|-|-
217.23.114.224|-|15/Dec/2010:08:17:20 +0000|-|-|-|400|0|-|-
217.23.114.224|-|15/Dec/2010:08:17:20 +0000|-|-|-|400|0|-|-

My log file format is 

'$remote_addr|$cookie__ourcookie|$time_local|$request|$content_length|$content_type|$status|$body_bytes_sent|$upstream_addr|$upstream_response_time';


The IP address varies and some of them are valid user IP addresses (not sure about the others). They often appear in the middle of a valid set of requests and then stop.

Anyone got an idea why I'd be getting floods of seemingly invalid requests coming in?

I don't think this can be explained just by saying that it's a hack attempt (though some of it could be) - is there any additional debug setting for NGINX?

Thanks

Chris

Chris McCauley
  • 552
  • 1
  • 5
  • 15
  • Possible duplicate of [What causes a 400 bad request error for null ("") and why would our Nginx logs have so many?](http://serverfault.com/questions/226825/what-causes-a-400-bad-request-error-for-null-and-why-would-our-nginx-logs-h) – Phrogz Feb 06 '12 at 20:02
  • @Phrongz - you mean the other (newer) question is a duplicate of this older one? :-) – Chris McCauley Feb 07 '12 at 15:57
  • By date that's true; by helpful answer I believe the other question has the edge. :) _(Some requests may be drones, as @incredimike suggests below. In my experience yesterday analyzing my logs, almost all the 400's I'm getting are from Firefox keep-alives—or unused HTTP connections—5 seconds after the last valid request.)_ – Phrogz Feb 07 '12 at 16:02

2 Answers2

1

This is part of running a server that's open to anonymous requests from the Internet. It looks like some client is attempting a connection, then immediately dropping it. I expect that it's a drone attempting to see what web server you're running... and to exploit you, if possible. Good thing you're running nginx ;)

incredimike
  • 300
  • 2
  • 3
  • 8
  • Unfortunately many of the requests are from known customer ip addresses (can't determine if the others are valid) and appear in the middle of an otherwise valid set of requests. – Chris McCauley Dec 16 '10 at 09:21
-1

Your problem may be that your Nginx large_client_header_buffers need to be increased per this dicussion.

Alternatively, your problem may be simply web browsers opening an HTTP connection and then closing it without using it, or is using Keep-Alive and reaches the timeout. In this case it's not a problem that the users are ever seeing, but just Nginx reporting an error.

Community
  • 1
Phrogz
  • 533
  • 6
  • 18