Posts in July

Blocking w00tw00t scans

on July 17, 2010 in Linux with 2 comments by

Some websites are still being hit with the infamous “w00tw00t” scans. You might see these scans in your logs as:

... "GET / HTTP/1.1" 400 ...

Using Iptables

The quickest method of making sure it never reaches your webserver (and thus wasting resources like processor, disk space [log files], etc) is to use iptables, and it can be done with a one-liner like this:

iptables -I INPUT -d -p tcp --dport 80 -m string --to 70  --algo bm --string 'GET /' -j DROP

Simply replace with the IP of your web server. If you want to use this for a range of IPs (ie., you’re using multiple IPs to host web servers), simply replace the “-d” portion with:

-m iprange --dst-range

where and are the first and last IPs of your web servers respectively. read more →