Pierre's Blog

Hello people,

I found recently in my apache log thousands of “w00tw00t.at.ISC.SANS.DFind” requests coming from all parts of the world.

I’ve been searching for solutions to remove their hits because they consume resources on my servers and they doesn’t help when computing my visitors stats…

1) Apache mod_security

There are many different way to remove those hits, 1st manner that I found was to use “mod_security” with apache and create specific rules on it.

The only problem, it force apache to filter every request and it doesn’t look like (to me) a fast processing for my web server…

(If you have additional benchmark info on it, I’m interested)

2) Fail2Ban

Fail2Ban is a tool that watch your log periodically and create iptables rules to deny evil users connecting to your site.

The only problem with it, it bans the ip AFTER the woot.woot request was make.

3) Iptables

Iptables is a linux netfilter module that helps administrator creating software firewall.

It’s probably the most advanced firewall module of all times!

I found recently a parameter that allow filtering requests by checking / reading the packet’s content.

In our “w00tw00t.at.ISC.SANS.DFind” case, we want to make sure those request never succeed on our apache webserver.

Here is the command that I use to disallow them:

root@server:~# iptables -I INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP

Basically, it will get 70 bytes of the packet and check that it doesn’t contain the HTTP request “GET /w00tw00t.at.ISC.SANS.”

The following command will display statistic on our iptables rules, so you can check that they are working properly.

root@server:~# iptables -L INPUT -nvx
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts      bytes target     prot opt in     out     source               destination
 82     8249 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 STRING match "GET /w00tw00t.at.ISC.SANS." ALGO name bm TO 70

Enjoy !