Wow. I do tend to see inexplicable icon requests, but not in those numbers. Personally I ignore them on the grounds of Life’s Too Short, but if you feel up to it, you might check some of the IPs and see if there have been normal, non-icon requests in the past, or simply see if they're human, colo/server or something else.

Since you say “thousands” I assume we’re not dealing with things like FF Favicon Reloader (don't remember its exact name) that keeps your bookmarks looking pretty by fetching the site's favicon periodically.

Thanks Lucy24.
Nothing other than the icon requests per ip.
They all have User-Agents like:
com.apple.WebKit.Networking/8614.2.9.0.10+CFNetwork/1399+Darwin/22.1.0
I've blocked them on User-Agent includes CFNetwork.
Sounds like they may be coming from 'in app browsers' ?

Someone else noticed similar visits the other day here: [webmasterworld.com...]

He mentioned the UA "com.apple.WebKit.Networking/8614.3.7.0.6 CFNetwork/1402.0.8 Darwin/22.2.0" which is different but similar.

I've not seen excessive numbers, but since I don't provide anything other than favicon---the 404 is all that is listed.

Do the user-agents ever change from the original hit to the second, the third? For example, is the original hit from an iPhone, with a subsequent hit from com.apple.WebKit.Networking/(etc.)?

I agree with Lucy that your numbers are wildly excessive and puzzling.

@BeachWalker
-- For weeks I've been noticing thousands of requests for apple-touch-icon, apple-touch-icon-precompiled and favicon. --

The UA would have IPad & CriOS in it by any chance surrounding it?

Reason I ask is I just caught a few today. Not that bad though, 4 at a time for each file mentioned above. Real human requests with in(as far as I can tell).

FWIW: CriOS = Chrome mobile, re iPad and iPhone. E.g.: Mozilla/5.0 (iPhone; CPU iPhone OS 15_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/100.0.4896.77 Mobile/15E148 Safari/604.1

I have also been getting thousands of such requests. They did not appear to be bots - they seemed like a browser was left open to the page, and it kept requesting those icons over and over again - because those IPs were also making legitimate requests too, and although I had the IPs challenged on Cloudflare, the challenges were often bypassed.

The user agents are:

Client/25841 CFNetwork/1402.0.8 Darwin/22.2.0"

Their number seems to have decreased, which leads me to believe that it was maybe a browser issue/bug, and that most (but not all) people have updated their browser versions in the past few weeks.

I've been a bit puzzled by Client, with similar numbering like --

Client/25841 CFNetwork/1399 Darwin/22.1.0
Client/24234 CFNetwork/1404.0.5 Darwin/22.3.0

-- because it only appears to hit favicons after regular hits by regular UAs. But nothing in the thousands, thank goodness.

What's bothersome is when it seeks favicons in subdirectories rather than root. Plus it definitely bloopers when it appends favicon.ico after .html --

/subdir/filename.html/favicon.ico

-- which throws off all graphic paths on the page and blows up my error logs. Sloppy coding there, Client creators.

As a result, I'm blocking Client in my main subdirectories and watching it overall. Are you blocking it? Whatever's behind the hits can live without a favicon, let alone a thousand copies.

Plus it definitely bloopers when it appends favicon.ico after .html

Ooh, hadn’t noticed that. But searching raw logs for "Client (i.e. beginning of UA) the single longest string of requests I find is 30 in one day, of which 29 were for, as you say,
/complete-URL/favicon.ico
Switching to search for this visitor's IP shows that it all started with a human visit to the said URL in September, initially with a mobile UA, later changing to a desktop UA with appended “Facebot Twitterbot”. Aggregate total of several thousand requests over the following months, mostly for some version of icon, some for the originally visited page (only).
:: further side trip to headers to figure out why the page requests were blocked ::
Oh. Oops. I’d forgotten that I blocked Facebot Twitterbot. Wonder what prompted that?

There are scattered requests from other IPs for
/complete-URL/favicon.ico
but almost all are intelligently followed by
/favicon.ico
alone.

When accompanying a human visit, these Client requests for the favicon are instead of, not in addition to, the expected favicon requests using the actual human UA. This suggests that Client/blahblah has a specific job--browser addon, maybe?--but, er, it isn’t very good at it.