The question mark separates the locations with the arguments, thus the
location itself is merely ‘/’.
If you do not have a location set explicitely for ‘/’, you probably have
default location block (‘location /’) which will serve all unmatched
locations, thus resulting in 200.
Maybe the intent of this spam is to try to trigger vulnerabilities or
default credentials on the index page in backend applications (ie CMS).
This is pure speculation.
If the spam really takes resources or annoy you very much, you might be
willing to either:
- filter out those request (blacklist approach), being careful that
could not be legitimate (as you would reduce availability, which is
very basic principles of security)
- only accept requests with specific format (white-list approach), being
careful that it might be a maintenance nightmare each and everytime you
wanna make new format of requests
- investigate the source of this spam and see if it might not be
to filter them out at a lower level (such as a firewall)
- introduce requests rate limiting to still allow every request but
their frequency and thus saving resources by sending back a built-in
error code rather than content when clients exceed rate limits
Those are just wild ideas coming in a snap.
Pick your choice or think about better ones… ;o)