I have already founded this log on my reverse proxy with loggin administrator.
On my case, it's linked to test to connect to a Windows Server TSE. I compare log time and connection time on my FW and user test add more information.

Many IP are banned with this log.

On my case, isn't a dos, just a brute force.

On Mon, 21 Oct 2019 at 16:12, Andreas Pfister <andi-pfister@gmx.ch> wrote:
Hi everyone,
Today, my logfile (apache2) was full with thousands of thousands of
requests like this: - - [21/Oct/2019:14:57:33 +0200]
400 0 "-" "-"

For this reason, my mirror was not reachable much time. Sorry.

For me looks like a dos attack, but i am not sure. Anyone see this
anytime in his logfiles or have any further idea/information?

Now, i solved the problem by blocking 851 different ip's and i think now
running stable.


Andi Pfister