Is this an attack or a normal request?

lists lists at
Mon Aug 24 18:54:35 UTC 2020

I can't find it, but someone wrote a script to decode that style of hacking. For the hacks I was decoding, they were RDP hack attempts. The hackers just "spray" their attacks. Often they are not meaningful to your server.

I have Nginx maps set up to match requests that are not relevant to my server. For instance I don't run WordPress, so anything WordPress related gets a 444 response. On a weekly basis I pull all the IP addresses that generated a 400 or 444 and run them through a IP lookup website. If they come back to a hosting company, VPS, or basically anything not an ISP, I block the associated IP space via my firewall. The only reason I can do this weekly is I have blocked so much IP space already that I don't get many hackers.

At a minimum I suggest blocking all Amazon AWS. No eyeballs there, just hackers. Also block all of OVH. You can block any of the hosting companies since there are no eyeballs there. This blocks many VPNs as well but nobody says you have to accept traffic from VPNs. 

Firewalls are very CPU efficient though they do use a lot of memory. In the long run blocking all those hackers improves system efficiency since nginx does have to parse all that nonsense.

I have scripts to pull the hacker IP out of the log file but a have a nonstandard log format. If you can create a file of IPs, this site will return the domains:

If you see a domain that is obviously not an ISP, you can find their entire IP space using

This sounds more complicate than it is. I have it down to about 20 minutes a week. 

You can also block countries in the firewall. Some people block all of China. I don't but that does cut down on hackers. 

  Original Message  

From: themadbeaker at
Sent: August 24, 2020 11:06 AM
To: nginx at
Reply-to: nginx at
Subject: Re: Is this an attack or a normal request?

> Is this kind of DDOS attack or a legitimate request(which my server returns
> 400 for them)?

That's typically how various unicode characters are hex encoded. If
you aren't expecting that kind of input, then yes it is likely an
attack (probably trying to exploit an unknown specific piece of
software). Welcome to the internet where everything connected is
bombarded 24/7 from everything else with random attacks.

That's why it's important to keep your server (and wordpress) up to date.
nginx mailing list
nginx at

More information about the nginx mailing list