Is there a technical requirement to serve 404 responses?

You may find the answer/videos on https://security.stackexchange.com/a/150762/10843 to be relevant to your second question.

RFC 1945 is Informational (but still useful) - do you know if this is addressed in others?

Well, that RFC's pretty much the foundation block of the Web. But you can refer to RFCs 2068, 7231, 7540, ... as well. No, there's no "Internet Standard" anywhere but that's how it is.

I understand there isn't truly an official standard, but there is a difference the RFC statuses, for which [RFC 2026](https://datatracker.ietf.org/doc/html/rfc2026) was created to define, itself a "Best Current Practice" RFC (not even a standard!).

I understand that but (perhaps strangely) that's the way things are.

i agree to the terms, the standard client is awaiting the status first and then it acts respectively to the answer imho

I apologize if I'm revising my question with this comment, but what I'm looking at is the obvious garbage thrown at the server. It seems like anything that has a Host header not matching anything I'm serving should just be dropped, because analysis of the logs shows it is 100% bots and likely to do with ancient assignments of the IP address, so 404 response is pointless. At some point, a request should be considered invalid or even hostile, and 100 requests/sec bot-generated 404 garbage looks hostile, at least to me, and I'd really rather drop it, but I do prefer to follow standards.

You can respond with `400` for an invalid `Host:` header (Section 5.4 of the RFC 7239). You can rate limit requests and respond with `429`. If a client host is really hostile and generates too many 4xx errors then you can block them at IP level (`fail2ban` etc.) and drop connection (RFC 6585 Section 7.2)

I sit in a Tesla and translated this thread with Ai: