What kind of entries are these

Tiffany Walker asked:

65.181.122.21 - - [24/Mar/2013:10:33:28 -0400] "-" 400 0 "-" "-"
109.228.81.72 - - [24/Mar/2013:10:33:42 -0400] "-" 400 0 "-" "-"
92.26.105.90 - - [24/Mar/2013:10:33:54 -0400] "-" 400 0 "-" "-"
92.26.105.90 - - [24/Mar/2013:10:33:54 -0400] "-" 400 0 "-" "-"
92.26.105.90 - - [24/Mar/2013:10:33:54 -0400] "-" 400 0 "-" "-"
92.26.105.90 - - [24/Mar/2013:10:33:54 -0400] "-" 400 0 "-" "-"
174.57.127.57 - - [24/Mar/2013:10:34:07 -0400] "-" 400 0 "-" "-"
174.57.127.57 - - [24/Mar/2013:10:34:07 -0400] "-" 400 0 "-" "-"
174.57.127.57 - - [24/Mar/2013:10:34:07 -0400] "-" 400 0 "-" "-"
87.250.112.82 - - [24/Mar/2013:10:34:10 -0400] "-" 400 0 "-" "-"
87.250.112.82 - - [24/Mar/2013:10:34:16 -0400] "-" 400 0 "-" "-"
75.9.96.255 - - [24/Mar/2013:10:34:20 -0400] "-" 400 0 "-" "-"
39.48.21.192 - - [24/Mar/2013:10:34:20 -0400] "-" 400 0 "-" "-"
39.48.21.192 - - [24/Mar/2013:10:34:20 -0400] "-" 400 0 "-" "-"

Is this a type of GET flood?

Is there a way I can grep all the IPs and then send them to iptables?

My answer:


This generally means that the client opened a Keep-Alive connection, but then disconnected after receiving a response to its previous request. It can also be a client that connects and then immediately disconnects without sending anything. Since the web server was expecting something, it logs a bad request (HTTP 400). These are mostly harmless.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.