Block the DFind scanner

Dfind is a vulnerability scanner, and a very pain in the *** one, as it will pollute your apache log with lines such as this: [16 / Oct / 2008: 18: 12: 34] "GET / :) HTTP / 1.1" 400

How to get rid of this junk ?
The apache return code is 400, which implies that the query syntax is invalid. Looking in the logs we see this:

client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23)

As the request is invalid, it’s useless to try to block it with a rewrite rule or a mod_security pattern.

The best solution is to block it before the HTTP server using iptables, like that:

iptables -I INPUT -d -p tcp -dport 80 -m string -to 70 -algo bm -string 'GET /' -j DROP