Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Norikra defends web service

FUJIWARA Shunichiro
June 03, 2015
Technology
6
9.1k

Norikra defends web service

Norikra meetup #2

FUJIWARA Shunichiro

June 03, 2015
Tweet

More Decks by FUJIWARA Shunichiro

See All by FUJIWARA Shunichiro
ISUCON作問入門/ ISUCON Summer Fes 2023
fujiwara3
1
1.2k
隙間家具職人が考えること/ecspresso meetup
fujiwara3
4
1.8k
MackerelとGrafana OnCallを連携してみた
fujiwara3
0
850
Amazon ECS デプロイツール ecspresso 開発5年の歩み
fujiwara3
15
3k
k6による負荷試験 入門から実践まで
fujiwara3
8
3.4k
SRE不在のチームに入って2ヶ月でやったこと - 負荷試験ツールからはじめるSREプラクティスの導入
fujiwara3
11
4.1k
ISUCON運営を支えるAmazon ECSとAurora Serverless v2 / AWS Dev Day 2022 Japan
fujiwara3
5
1.1k
1年間のポストモーテム運用とそこから生まれたツール sre-advisor / SRE NEXT 2022
fujiwara3
6
12k
気軽に始めるGraviton2マネージドサービスによるコスト最適化 / Amazon Game Tech Night #23
fujiwara3
4
2k

Other Decks in Technology

See All in Technology
Introduction to mcl-wasm
herumi
1
290
LINE 平台與開發生態系介紹
line_developers_tw
PRO
0
230
テスト文化の成熟:自動テストが浸透した組織が次に目指すべきステップ
igsr5
4
630
Designing an Incident Response Process at Scale
opeonikute
0
140
PHPからはじめるコンピュータア ーキテクチャ / PHP Meets Silicon: A Fun Dive into Computer Structures
tomzoh
3
180
Beyond the Baseline: Horizons for Cloud Security Programs
ramimac
0
140
Terraformでニフクラにリモート開発環境を自動構築した話
devops_vtj
0
250
フロントエンドの開発生産性とは
yosuke_furukawa
PRO
11
5.1k
[PHPカンファレンス沖縄2023]【実践編】良いプロダクト作りのための組織育成 健全なコードは健全な組織、健全なチームから
ikezoemakoto
0
180
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
0
330
hacomonoポストモーテムの取り組み(2023/09)
hacomono
1
490
SRE成熟度評価におけるポストモーテムLv.3ガイドライン
shotatsuge
7
1.2k

Featured

See All Featured
How GitHub (no longer) Works
holman
299
140k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
10
1.2k
Happy Clients
brianwarren
92
6k
Designing with Data
zakiwarfel
93
4.5k
Code Review Best Practice
trishagee
53
13k
The Illustrated Children's Guide to Kubernetes
chrisshort
26
45k
Designing on Purpose - Digital PM Summit 2013
jponch
108
6.1k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
14k
Documentation Writing (for coders)
carmenintech
54
3.3k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.2k
What's new in Ruby 2.0
geeforr
336
30k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
0
2.3k

Transcript

  1. Norikra defends web
    service
    Norikra meetup #2
    2015.06.03 @fujiwara

    View Slide

  2. Fujiwara Shunichiro (@fujiwara)
    KAYAC Inc.

    View Slide

  3. Norikra in a web service
    A community web service.
    • Realtime log analysis
    • HTTP status code, response time
    • worker logs
    • Switched from fluent-plugin-(datacounter|numeric-monitor)
    • Peak 10,000~ msgs/sec

    View Slide

  4. Norikra in a web service

    View Slide

  5. Norikra in a web service
    EC2 : r3.xlarge (4core 30GB mem)
    norikra start \
    -Xmx23012m \
    --small \
    --dump-stat-interval=300 \
    --stats=${DATA_DIR}/norikra.stats.json \
    --pidfile=${DATA_DIR}/norikra.pid \
    --gc-log=${DATA_DIR}/gc.log \
    -XX:+UseGCLogFileRotation \
    -XX:NumberOfGCLogFiles=10 \
    -XX:GCLogFileSize=1048576 \

    View Slide

  6. Spammers has come
    Smartphone apps only at first.
    Web version (for browsers) released!!
    But, it gives many benefits for ATTACKERS...
    • Easy to analyze API protocols
    • Easy to create MANY accounts (email, twitter...)
    → Spam floods!!!

    View Slide

  7. Norikra detects spam POSTs
    SELECT 'spam-detect' as tag,
    count(*) as calls,
    min(time) as time_min,
    max(time) as time_max,
    N as threshold,
    host
    FROM accesslog.win:time_batch(1 min)
    WHERE uri LIKE '/api/%' and method = 'POST'
    GROUP BY host
    HAVING count(*) >= N

    View Slide

  8. Norikra detects spam account creation
    SELECT 'spam-detect' as tag,
    count(*) as calls,
    min(time) as time_min,
    max(time) as time_max,
    N as threshold,
    host
    FROM accesslog.win:time_batch(1 min)
    WHERE uri LIKE '/api/signup/twitter%'
    GROUP BY host
    HAVING count(*) >= N

    View Slide

  9. fluent-plugin-spam-reactor
    In-house plugin

    type norikra
    norikra log-analyzer.service.consul:26571

    method sweep
    tag field tag
    tag_prefix norikra
    interval 3s



    type spam_reactor
    whitelist ["127.0.0.1", "192.168.0.0/16"]

    View Slide

  10. fluent-plugin-spam-reactor
    • Norikra detects spammers IP address from access log
    • Fluentd fetches Norikra outputs as records

    View Slide

  11. fluent-plugin-spam-reactor
    • Calc : count / (time_max - time_min) >= threshold
    • Set the IP address to memcached (exclude whitelist)
    memd.set("banned-host:#{host}", 1, expires, false)
    memd.set("banned-host-count:#{host}", count, 86400, false)
    • Emit a report message
    router.emit("spam-report", time, {"message" => message})
    WebApp BLOCKS accesses from IP address in memcached!

    View Slide

  12. Merits of using memcached
    1. Flexible expires.
    • spam-reactor extends expires by exponential backoff.
    2. Accessibility between middlewares.
    • WebApp (Perl, Go)
    • Fluentd (Ruby)
    • Nginx (module, lua)

    View Slide

  13. Conclusion
    • Norikra can detect spam accesses.
    • Easy to customize logic by queries
    • Fluentd custom plugins fit to your applications.

    View Slide