Because they are hunting for vulnerable devices and the requests' existence are unique to an application. Like a VoIP appliance for example.

They usually request something deep like /foo/bar/login.html as part of their reconnaissance.

I'm up to 4 pages of filter rules after the massive IP blacklist.

These assholes are also scanning every address on the IPv4 internet and hoovering up the content.

To answer your first question: No, that's the OS's job. But some clever rules could be setup for filtering invalid requests depending on your web server.