Favicons vs. News Explorer
Some of the readers of this site use News Explorer to get the RSS feed. Recently I found this application to trigger certain intrusion detection methods and it tripped over Nginx request limits. The reason: excessive Favicon requests.
Here’s what a respective request from News Explorer looks like:
100.200.300.1 - - [27/Jul/2020:12:08:48 +0200] "GET /favicon.png HTTP/2.0" 404 107 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) News Explorer/1.9" "-"
As you can see, I have no Favicon for this site (yet). This request is repeated
dozens of times per second, effectively behaving like a sloppily written
application — or a brain-dead scanning script. Hence the triggering of Nginx
request limits and intrusion detection. Despite returning
404 Not Found, News
Explorer continues to try repeatedly.
I contacted its vendor Betamagic and they had this to say:
Yes, News Explorer is a bit persistent in retrying to get a favicon for a RSS feed, when a 404 is returned. This should indeed be improved in a future update.
After my insisting that this was a bug that needed immediate addressing, Ron from support added the following:
I have added it to the backlog
From my point of view: just add a favicon to your server. It will solve these spikes and it will make your RSS feed look much better in most modern RSS readers.
Well, I guess that’s something. While this behavior does not violate HTTP implementation standards per se, it is generally assumed that repeatedly triggering 404 is a reliable indicator of a brute-force scanning attempt.
For now, this is to let the users of News Explorer know about a likely reason for issues with this or other sites.