I have a home network that contains a mixture of devices, some of which that receive a...
Some websites are still being hit with the infamous “w00tw00t” scans. You might see these scans in your logs as:
... "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 ...
The quickest method of making sure it never reaches your webserver (and thus wasting resources like processor, disk space [log files], etc) is to use iptables, and it can be done with a one-liner like this:
iptables -I INPUT -d xxx.xxx.xxx.xxx -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP
Simply replace xxx.xxx.xxx.xxx with the IP of your web server. If you want to use this for a range of IPs (ie., you’re using multiple IPs to host web servers), simply replace the “-d xxx.xxx.xxx.xxx” portion with:
-m iprange --dst-range start.xxx.xxx.xxx-end.xxx.xxx.xxx
where start.xxx.xxx.xxx and end.xxx.xxx.xxx are the first and last IPs of your web servers respectively. read more →