Prevent empty apache requests in access.log

Question

In my access.log file I found a hundreds of lines of empty request like this

mydomain.com:80 [ip-address] - - [02/Jul/2014:09:11:20 -0500] "GET / HTTP/1.0" 200 25491 "-" "-"
mydomain.com:80 [ip-address] - - [02/Jul/2014:09:11:24 -0500] "GET / HTTP/1.0" 200 25491 "-" "-"
mydomain.com:80 [ip-address] - - [02/Jul/2014:09:11:24 -0500] "GET / HTTP/1.0" 200 25491 "-" "-"
mydomain.com:80 [ip-address] - - [02/Jul/2014:09:11:20 -0500] "GET / HTTP/1.0" 200 25491 "-" "-"

They all coming from the same ip address, and sometimes it is about 3-5 requests per second.

~~I read from this answer https://serverfault.com/a/386136/210624 that~~

In other words, this was probably somebody opening and closing a connection against port 80, without sending or receiving any data.

but unlike in that question in my case the response code 200,

qsn1: what number 25491 means in this case ?

qsn2: can this be a dos attack, because during that time I saw in my VPS stats that there is a high CPU usage.

qsn3: can I prevent somehow this kind of requests ? say, block the ip address using fail2ban or by some other way ?

Thanks

update: I just counted, during 20 minutes I have ~ 8000 hits from the same (and only that) ip address, all lines like shown above

The answer you linked is not at all related to what is in your log entries. — Michael Hampton, Jul 03 '14 at 13:22
@MichaelHampton, yeah u r right, I did not notice that, I changed that part. Thanks — dav, Jul 03 '14 at 13:26

score 0 · Answer 1 · answered Aug 06 '14 at 19:46

1: 25491 is the size, in bytes, of the response returned by your server.

2: Given the description, it could be some form of low-level DoS. Probably a 'bot.

3: fail2ban is a good idea. You could set up a filter regex along these lines (untested!):

\[<HOST>\] - - \[.*\] "GET / HTTP/1.[01]" 200 \d+ "-" "-"

Then put it in a jail with a maxretry of 100 and a findtime of 60s, say.

Prevent empty apache requests in access.log

1 Answers1