The question mark separates the locations with the arguments, thus the
location itself is merely '/'.
If you do not have a location set explicitely for '/', you probably have a
default location block ('location /') which will serve all unmatched
locations, thus resulting in 200.
Maybe the intent of this spam is to try to trigger vulnerabilities or
default credentials on the index page in backend applications (ie CMS).
This is pure speculation.
If the spam really takes resources or annoy you very much, you might be
willing to either:
- filter out those request (blacklist approach), being careful that those
could not be legitimate (as you would reduce availability, which is against
very basic principles of security)
- only accept requests with specific format (white-list approach), being
careful that it might be a maintenance nightmare each and everytime you
wanna make new format of requests
- investigate the source of this spam and see if it might not be possible
to filter them out at a lower level (such as a firewall)
- introduce requests rate limiting to still allow every request but lower
their frequency and thus saving resources by sending back a built-in HTTP
error code rather than content when clients exceed rate limits
Those are just wild ideas coming in a snap.
Pick your choice or think about better ones... ;o)
---
*B. R.*
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
