Part of the attack is via XSS using $_GET queries that are very long. Apache defaults to accepting URLS up to 4K long which is insane and allows such attacks to happen. 255 characters is a far better lockdown with very few if any false positives.