Hi all, I guess what Jorg is suggesting is that beyond this particular incident, a preventive testing/mitigation methodology would make for a great NANOG2022 presentation/workshop. Cheers, Dora On Mon, Dec 13, 2021 at 2:33 PM Jean St-Laurent via NANOG <nanog@nanog.org> wrote:
I agree,
As an example that back what you're saying, I pasted the ip provided by Jörg in my browser.
Here is the html page returned.
<html> ... Research Scanning Project
This is a scanner of a research scanning project.
If you want to exclude your IPs from scans, please send an e-mail to exclude@alphastrike.io.
Thank you for your appreciation! ... </html>
This ip scanner is in Germany and it looks legit, but a better investigation is recommended.
The second host provided looks more suspicious.
blah.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com resolve to 104.248.51.21 which is hosted on DigitalOcean.
Here is the html output:
<html> ... Interactsh Server Interactsh is an open-source solution for out-of-band data extraction. It is a tool designed to detect bugs that cause external interactions. These bugs include, Blind SQLi, Blind CMDi, SSRF, etc.
If you find communications or exchanges with the interactsh.com server in your logs, it is possible that someone has been testing your applications.
You should review the time when these interactions were initiated to identify the person responsible for this testing.
... </html>
First, it's important to gain visibility and filter the goods from the bads.
The first ip looks legit. The second could be reported to DigitalOcean for investigation. They usually investigate very fast.
You can check for weird network flows patterns. You can also look for that suspicious html file that is crawling on http in clear text on your gears.
At ISP level, visibility is a must and patterns will clearly become easy to identify.
I agree with Karl that perfection is enemy of good.
Jean
-----Original Message----- From: NANOG <nanog-bounces+jean=ddostest.me@nanog.org> On Behalf Of Karl Auer Sent: December 13, 2021 7:55 AM To: NANOG List <nanog@nanog.org> Subject: Re: Log4j mitigation
On Mon, 2021-12-13 at 06:35 -0600, Joe Greco wrote:
Just because there are other sources of fatalities, doesn't mean you can't check for the quick obvious stuff.
Indeed.
One check, even an inadequate one, is better than no checks at all. And over time you can add more checks or improve the ones you have.
Don't let "perfect" be the enemy of "good".
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer
GPG fingerprint: 61A0 99A9 8823 3A75 871E 5D90 BADB B237 260C 9C58 Old fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170