How often should we expect 400 Bad Request?

Question

We run an Apache2 web server which has somewhere in the vicinity of 2-3 million pages served every day (only HTML+CSS+Javascript, images and other content is served with Lighttpd). Our daily logwatch e-mail outputs somewhere between 3-5 "400 Bad Request" items a day. It is mostly for the same URLs every day, but rarely more than 1 time per URL. The URLs listed are mostly for standard page views on our website (URLs that almost every user will visit).

When grepping the error.log for the IPs listed in the access.log as having received the error, the result is always [error] [client xxx.xxx.xxx.xxx] request failed: error reading the headers, referer: xxx.

My assumption is that these are nothing to worry about, at least when they are this infrequent.

Is the number of errors we are seeing here produced by dropped connections, or something similar? What should I examine to figure it out? Should I just leave it alone?

score 5 · Answer 1 · answered Jul 11 '11 at 06:17

5

Just to expand on MrTuttle's answer, the 400 errors I've investigated in the wild are typically someone trying (unsuccessfully) to exploit your webserver, typically because they haven't noticed that you're not running a vulnerable version, or they just don't care. A fair proportion of the 404 errors I get on my sites are in the same boat -- attempts to exploit vulnerable webapps I don't have installed (phpmyadmin, I'm glaring at you).

answered Jul 11 '11 at 06:17

womble

95,029
29
173
228

These are usually the w00tw00t-requests, which I am aware of. I keep my server patched, and also review the SSH logs with logwatch... :) – Vegard Larsen Jul 11 '11 at 06:21
A very good point! And if I had 1/15th of a cent for every time someone scanned my servers for phpmyadmin.... – MrTuttle Jul 11 '11 at 06:21

score 4 · Accepted Answer · answered Jul 11 '11 at 06:16

4

Based on what you are seeing, if the same IPs logging the errors can later successfully access the site, then it is probably very safe to ignore the infrequent errors for the rational that you have presented.

answered Jul 11 '11 at 06:16

user48838

7,393
2
17
14

Yes, they can. Grepping for the IP in `access.log` for all of the IPs I've inspected reveals that the bad request is just one many requests. – Vegard Larsen Jul 11 '11 at 07:36
Then you should be fine in ignoring the errors. – user48838 Jul 11 '11 at 07:44

score 2 · Answer 3 · answered Jul 11 '11 at 06:13

2

Kudos for actually reviewing your logs! I'd ignore the 400 errors. 99.999% of the time, they're client-side, and completely outside your purview; network flakeyness or a spyware-ridden browser, in my experience.

answered Jul 11 '11 at 06:13

MrTuttle

1,166
5
5

How often should we expect 400 Bad Request?

3 Answers3