Is there anything perhaps protecting or intercepting the data on its way to the server, perhaps an Arbor device of some type of load balancer?
This type of behavior is quite common when protecting web assets to eliminate zombies and such, but its usually something you would see back to the clients, not tp the server.
Also, IIRC, the LOIC DoS tool had this ability to create random strings in the URL, and I believe it did so with 5 characters. Might want to do a packet trace and identify if this is coming from LOIC.
Technical Trainer, Juniper Networks
GPG Key ID: 0xB4C956EC