Unintentional HTTP Proxy DDoS
But nonetheless, I'm getting a ridiculous amount of web requests which don't work. Rarely more than a few from a single IP (because they don't work), so I can't blacklist by IP or subnet.
Is there any way to have Apache just drop all requests for sites it doesn't host without acknowledging them, rather than sending an error page as it is right now?
Try setting up a lightweight web server, such as nginx, as a reverse proxy in front of Apache. You can also tell nginx to drop any requests that don't belong to one of your real sites. (Read up on "return 444".)