Log4j mitigation

Mon Dec 13 13:58:58 UTC 2021

Hi all,

I guess what Jorg is suggesting is that beyond this particular incident, a
preventive testing/mitigation methodology would make for a great NANOG2022
presentation/workshop.

Cheers,
Dora

On Mon, Dec 13, 2021 at 2:33 PM Jean St-Laurent via NANOG <nanog at nanog.org>
wrote:

> I agree,
>
> As an example that back what you're saying, I pasted the ip provided by
> Jörg in my browser.
>
> http://45.83.64.1/
>
> Here is the html page returned.
>
> <html>
> ...
> Research Scanning Project
>
> This is a scanner of a research scanning project.
>
> If you want to exclude your IPs from scans, please send an e-mail to
> exclude at alphastrike.io.
>
> Thank you for your appreciation!
> ...
> </html>
>
> This ip scanner is in Germany and it looks legit, but a better
> investigation is recommended.
>
> The second host provided looks more suspicious.
>
> blah.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com resolve to
> 104.248.51.21 which is hosted on DigitalOcean.
>
> Here is the html output:
>
> <html>
> ...
> Interactsh Server
> Interactsh is an open-source solution for out-of-band data extraction. It
> is a tool designed to detect bugs that cause external interactions. These
> bugs include, Blind SQLi, Blind CMDi, SSRF, etc.
>
> If you find communications or exchanges with the interactsh.com server in
> your logs, it is possible that someone has been testing your applications.
>
> You should review the time when these interactions were initiated to
> identify the person responsible for this testing.
>
> ...
> </html>
>
> First, it's important to gain visibility and filter the goods from the
> bads.
>
> The first ip looks legit. The second could be reported to DigitalOcean for
> investigation. They usually investigate very fast.
>
> You can check for weird network flows patterns. You can also look for that
> suspicious html file that is crawling on http in clear text on your gears.
>
> At ISP level, visibility is a must and patterns will clearly become easy
> to identify.
>
> I agree with Karl that perfection is enemy of good.
>
> Jean
>
> -----Original Message-----
> From: NANOG <nanog-bounces+jean=ddostest.me at nanog.org> On Behalf Of Karl
> Auer
> Sent: December 13, 2021 7:55 AM
> To: NANOG List <nanog at nanog.org>
> Subject: Re: Log4j mitigation
>
> On Mon, 2021-12-13 at 06:35 -0600, Joe Greco wrote:
> > Just because there are other sources of fatalities, doesn't mean you
> > can't check for the quick obvious stuff.
>
> Indeed.
>
> One check, even an inadequate one, is better than no checks at all. And
> over time you can add more checks or improve the ones you have.
>
> Don't let "perfect" be the enemy of "good".
>
> Regards, K.
>
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Karl Auer (kauer at biplane.com.au)
> http://www.biplane.com.au/kauer
>
> GPG fingerprint: 61A0 99A9 8823 3A75 871E 5D90 BADB B237 260C 9C58 Old
> fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20211213/6c2d6a73/attachment.html>