Hi all, I guess what Jorg is suggesting is that beyond this particular incident, a preventive testing/mitigation methodology would make for a great NANOG2022 presentation/workshop.
Cheers, Dora On Mon, Dec 13, 2021 at 2:33 PM Jean St-Laurent via NANOG <nanog@nanog.org> wrote: > I agree, > > As an example that back what you're saying, I pasted the ip provided by > Jörg in my browser. > > http://45.83.64.1/ > > Here is the html page returned. > > <html> > ... > Research Scanning Project > > This is a scanner of a research scanning project. > > If you want to exclude your IPs from scans, please send an e-mail to > excl...@alphastrike.io. > > Thank you for your appreciation! > ... > </html> > > This ip scanner is in Germany and it looks legit, but a better > investigation is recommended. > > The second host provided looks more suspicious. > > blah.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com resolve to > 104.248.51.21 which is hosted on DigitalOcean. > > Here is the html output: > > <html> > ... > Interactsh Server > Interactsh is an open-source solution for out-of-band data extraction. It > is a tool designed to detect bugs that cause external interactions. These > bugs include, Blind SQLi, Blind CMDi, SSRF, etc. > > If you find communications or exchanges with the interactsh.com server in > your logs, it is possible that someone has been testing your applications. > > You should review the time when these interactions were initiated to > identify the person responsible for this testing. > > ... > </html> > > First, it's important to gain visibility and filter the goods from the > bads. > > The first ip looks legit. The second could be reported to DigitalOcean for > investigation. They usually investigate very fast. > > You can check for weird network flows patterns. You can also look for that > suspicious html file that is crawling on http in clear text on your gears. > > At ISP level, visibility is a must and patterns will clearly become easy > to identify. > > I agree with Karl that perfection is enemy of good. > > Jean > > -----Original Message----- > From: NANOG <nanog-bounces+jean=ddostest...@nanog.org> On Behalf Of Karl > Auer > Sent: December 13, 2021 7:55 AM > To: NANOG List <nanog@nanog.org> > Subject: Re: Log4j mitigation > > On Mon, 2021-12-13 at 06:35 -0600, Joe Greco wrote: > > Just because there are other sources of fatalities, doesn't mean you > > can't check for the quick obvious stuff. > > Indeed. > > One check, even an inadequate one, is better than no checks at all. And > over time you can add more checks or improve the ones you have. > > Don't let "perfect" be the enemy of "good". > > Regards, K. > > > -- > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Karl Auer (ka...@biplane.com.au) > http://www.biplane.com.au/kauer > > GPG fingerprint: 61A0 99A9 8823 3A75 871E 5D90 BADB B237 260C 9C58 Old > fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170 > > > > >
