Apparently random encoded URL requests

Question

I've been receiving tons of weirdly encoded strings as URL requests on my webserver. I tried decoding them but wasn't able to. Here are a few samples:

184.146.170.127 - - [10/Sep/2019:17:22:54 +0000] "\x16\x03\x01\x00\x85\x01\x00\x00\x81\x03\x03\xEE\xF2W\x1F\x8A~q\xBE\xCD\xA0)\x9Bk\xC2\xB7\xD6\xE0cY\xB8\xBD\x84v6P\xFA\x08\xE7\x00\xE7RY\x00\x00\x1C\xC0+\xC0,\xCC\xA9\xC0/\xC00\xCC\xA8\xC0\x09\xC0" 400 157 "-" "-" "-"

179.155.79.122 - - [10/Sep/2019:17:22:58 +0000] "\x16\x03\x01\x00\x85\x01\x00\x00\x81\x03\x03\x88\xFB\x9A\x04\x04\x08\x81\xC0\xBCAdG[\xD8\xFDp\x8F\x84\xF3)\xEE\xB8\xA7\xCA\xA6+\xD3\x8C\xF3;4N\x00\x00\x1C\xC0+\xC0,\xCC\xA9\xC0/\xC00\xCC\xA8\xC0\x09\xC0" 400 157 "-" "-" "-"

170.79.48.2 - - [10/Sep/2019:17:26:56 +0000] "\x16\x03\x01\x00\x81\x01\x00\x00}\x03\x03T\xE7}_\x17Z\x83\xFD\xAB,8\x13\x06\xAC\xA8\xC3p:\xBAkR\x06>5\x22\x96\xC9\xAB\x5C\xD8!\xDE\x00\x00\x1C\xC0+\xC0,\xCC\xA9\xC0/\xC00\xCC\xA8\xC0\x09\xC0" 400 157 "-" "-" "-"

I understand it's probably some botnet trying to find vulnerabilities, but I don't understand which vulnerability they could be trying to find with hard to decode urls. Also, would be very nice to find a way to block those as well, since this is absolutely flooding my logs (I'm running on uWSGI + nginx). This is a staging server so the proportion of useful X garbage logs like these is like a one to thousands.

Answer 1

Those are not actually URLs at all, as the requests are not shaped like an HTTP request to begin with (a real HTTP URL request would start with a verb like GET or TRACE, and this would be shown in webserver logs). These packets are actually attempts to do a TLS handshake – \x16\x03\x01\x??\x??\x01 is the beginning of a TLSv1.2 ClientHello.

It's unusual to see this on port 80, but if you're running your web server on a nonstandard port, many scanners will of course not know that it speaks HTTP and will try various common protocols, TLS being one of them.

To reduce log spam, install a log analyzer which would automatically create firewall rules – fail2ban being a popular one. (By default it only monitors SSH connections, but I believe it comes with patterns for other popular formats.) You can't block them all, but this way you can at least get rid of the repeat offenders.