After analyzing multiple server logs, I've identified that w00tw00t attacks typically manifest through malformed HTTP requests attempting to exploit known vulnerabilities. These requests often omit the required Host header while containing distinctive URIs like:
GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1
While ModSecurity (mod_security2) is powerful, its syntax has evolved. The older SecFilterSelective directives won't work in newer versions. Here's the correct modern approach using SecRule:
SecRule REQUEST_URI "@contains w00tw00t.at.ISC.SANS.DFind" \
"id:1000,\
phase:1,\
deny,\
status:403,\
msg:'w00tw00t attack detected',\
logdata:'Matched %{MATCHED_VAR}'"
For more comprehensive protection, implement these additional rules:
# Block requests missing Host header
SecRule &REQUEST_HEADERS:Host "@eq 0" \
"id:1001,\
phase:1,\
deny,\
status:400,\
msg:'Host header missing'"
# Detect suspicious URI patterns
SecRule REQUEST_URI "@rx w00tw00t" \
"id:1002,\
phase:1,\
deny,\
status:403,\
msg:'Potential scanner detected'"
Instead of completely blocking these attempts (which may consume resources), consider implementing custom log filtering:
# In httpd.conf
ErrorLogFormat "[%{u}t] [%-m:%l] %F: %E: [client %a] %M"
CustomLog logs/access_log combined env=!no_log
SetEnvIfNoCase Request_URI "w00tw00t" no_log
For high-traffic servers, optimize your rule execution:
- Place most specific rules first
- Use @pm instead of @rx for static strings
- Limit phase 2 rules when possible
# Optimized version
SecRule REQUEST_URI "@pm w00tw00t" \
"id:1003,\
phase:1,\
t:none,\
deny"
For persistent attacks, consider these additional measures:
# IPTables temporary block
iptables -A INPUT -p tcp --dport 80 -m string --string "w00tw00t" --algo bm -j DROP
# Fail2Ban configuration
[apache-w00tw00t]
enabled = true
filter = apache-w00tw00t
logpath = /var/log/apache2/error.log
maxretry = 1
bantime = 86400
The logs clearly show a characteristic pattern of requests to /w00tw00t.at.ISC.SANS.DFind:) with missing Host headers. These are reconnaissance probes from vulnerability scanners (like DFind) checking for web server weaknesses. The HTTP 400 errors indicate your server correctly rejects malformed requests, but the noise pollutes your logs.
For ModSecurity 2.x, use these rules in your configuration:
# Core rule to block the attack pattern
SecRule REQUEST_URI "@contains w00tw00t.at.ISC.SANS.DFind" \
"id:1000,phase:1,deny,status:403,msg:'DFind scanner detected'"
# Catch variations with different encodings
SecRule REQUEST_URI "@rx w00tw00t\.at\.ISC\.SANS" \
"id:1001,phase:1,deny,status:403,msg:'SANS scanner pattern detected'"
# Block requests missing Host header (RFC compliance)
SecRule &REQUEST_HEADERS:Host "@eq 0" \
"id:1002,phase:1,deny,status:400,msg:'Missing Host header'"
For persistent offenders, implement dynamic blocking:
# Create a dedicated chain
iptables -N W00TW00T_DEFENSE
# Add to your INPUT chain
iptables -A INPUT -p tcp --dport 80 -j W00TW00T_DEFENSE
# Dynamic blocking rule (adjust threshold as needed)
iptables -A W00TW00T_DEFENSE -m recent --name w00t_attackers \
--update --seconds 86400 --hitcount 5 -j DROP
Implement log filtering in Apache to reduce noise:
# In httpd.conf or virtual host
ErrorLogFormat "[%t] [%l] %M"
CustomLog logs/access_log combined env=!no_log
SetEnvIfNoCase Request_URI w00tw00t no_log
SetEnvIf Request_Line "HTTP/1.1" bad_proto=1
SetEnvIf bad_proto 1 no_log
Create a custom filter for Fail2Ban:
# /etc/fail2ban/filter.d/apache-w00t.conf
[Definition]
failregex = ^<HOST>.*"(GET|POST).*w00tw00t
^<HOST>.*HTTP/1\.1 request without hostname.*w00tw00t
ignoreregex =
When implementing these measures:
- ModSecurity rules add ~2-5ms per request processing time
- IPTables dynamic blocking consumes minimal resources
- Log filtering reduces disk I/O by 20-40% for targeted attacks
For enterprise environments, consider:
- Cloudflare/WAF integration for pattern blocking
- SIEM integration for attack correlation
- Rate limiting via mod_ratelimit