[論文レビュー] A Longitudinal Measurement Study of Log4Shell Exploitation from an Active Network Telescope
tldr: This paper presents a multi-year longitudinal study of Log4Shell-related traffic observed from an active network telescope in India, revealing long-term exploitation persistence, regional differences, and infrastructure dynamics from 2021 to 2025.
The disclosure of the Log4Shell vulnerability in December 2021 led to an unprecedented wave of global scanning and exploitation activity. A recent study provided important initial insights, but was largely limited in duration and geography, focusing primarily on European and U.S. network telescope deployments and covering the immediate aftermath of disclosure. As a result, the longer-term evolution of exploitation behavior and its regional characteristics has remained insufficiently understood. In this paper, we present a longitudinal measurement study of Log4Shell-related traffic observed between December 2021 and October 2025 by an active network telescope deployed in India. This vantage point enables examination of sustained exploitation dynamics beyond the initial outbreak phase, including changes in scanning breadth, infrastructure reuse, payload construction, and destination targeting. Our analysis reveals that Log4Shell exploitation persists for several years after disclosure, with activity gradually concentrating around a smaller set of recurring scanner and callback infrastructures, accompanied by an increase in payload obfuscation and shifts in protocol and port usage. A comparative analysis and observations with the benchmark study validate both correlated temporal trends and systematic differences attributable to vantage point placement and coverage. Subsequently, these results demonstrate that Log4Shell remains active well beyond its initial disclosure period, underscoring the value of long-term, geographically diverse measurement for understanding the full lifecycle of critical software vulnerabilities.
研究の動機と目的
- Characterize long-term evolution of Log4Shell scanning and exploitation beyond the initial disclosure window.
- Analyze geographic origins of scanning and the referencing of callback infrastructure.
- Study how backend hosting resources are selected, reused, and evolve over time.
- Examine payload transformations, obfuscation trends, and protocol/port usage shifts.
- Compare regional observations with earlier European/North American vantage points to identify systematic differences.
提案手法
- Deploy and operate a /24 IPv4 network telescope in India to capture unsolicited inbound traffic.
- Develop a multi-stage data processing pipeline including TCP stream reassembly, payload normalization, and multi-layer decoding to recover exploit artefacts.
- Apply hierarchical Log4Shell detection signatures on decoded payloads, including obfuscated variants of ${jndi:...} patterns.
- Aggregate decoded payloads daily with enriched metadata (source country, ports, callback endpoints) for temporal analysis.
- Analyze temporal trends, geographic distribution of scanners, and hosting infrastructure across 2021–2025.
実験結果
リサーチクエスチョン
- RQ1What is the long-term trajectory of Log4Shell scanning and exploitation beyond the initial outbreak phase?
- RQ2How do scanner origins and callback infrastructure geographically evolve over time?
- RQ3How do payloads evolve in terms of obfuscation, transport protocols, and port usage?
- RQ4What patterns emerge when comparing Indian vantage points to prior European/North American studies?
- RQ5How does backend infrastructure hosting shift and consolidate over multiple years?
主な発見
- Exploitation activity persists for several years after disclosure, with increasing payload obfuscation and shifts in protocol/port usage.
- Scanning origins evolve from concentrated early sources (US, Germany, Argentina, China) to Europe-dominant activity and a few high-volume sources by ASN in later years.
- Callback infrastructure becomes more diverse early on but concentrates over time, with US and EU hosting increasing in 2022–2024 and Hong Kong dominating by 2025.
- Port usage remains HTTP-focused but migrates from 80/8080 to a broader set in the 8080–8085 range from 2023 onward.
- Unique ASNs involved in scanning continue to rise, indicating expanding reach of Log4Shell scanning well into 2025.
- Payload analysis shows direct jndi lookups were prevalent early, but obfuscated variants become dominant from late 2021 onward.
より良い研究を、今すぐ始めましょう
論文設計から論文執筆まで、研究時間を劇的に削減しましょう。
クレジットカード登録不要
このレビューはAIが作成し、人間の編集者が確認しました。