Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Nginx + Luaを活用したDDoS攻撃対策: 「LINE STORE」における動的IP ...

Nginx + Luaを活用したDDoS攻撃対策: 「LINE STORE」における動的IP Blacklist運用とアプローチ / Utilizing Nginx + Lua for DDoS Attack Mitigation: Dynamic IP Blacklist Operation and Approach at "LINE STORE"

大規模サービスを守るためのDDoS攻撃対策として、NginxとLuaを組み合わせた動的IPブラックリスト運用の実践例を紹介します。
LINE STOREでの導入背景から、複数アーキテクチャの比較・ベンチマーク結果、CentralDogmaによる設定管理まで、運用コストと拡張性を両立する最新アプローチを解説します。

More Decks by LINEヤフーTech (LY Corporation Tech)

Other Decks in Technology

Transcript

  1. /HJOYDPOGJHVSBUJPO  6TFHFP<>NPEVMFPG/HJOY  $POGJHVSBUJPOGJMFT  OHJOYDPOGVTFHFPNPEVMF  JQCMBDLMJTUDPOG*1BEESFTT MJTU

    OHJOYDPOG JQ CMBDLMJTUDPOG  <> IUUQTOHJOYPSHFOEPDTIUUQOHY@IUUQ@HFP@NPEVMFIU
  2. 3FTVMU'JSTUXFFL  "QQMZ  .FBTVSFNFOU1FSJPEd  "MM   

    #MPDL    3BUF       5BSHFU  #SPXTFS  #PU  1FSTPOBM"QQMJDBUJPO
  3. 3FTVMU0OFNPOUIMBUFS  "QQMZ  .FBTVSFNFOU1FSJPEd NPUIMBUFS  "MM  

     #MPDL    3BUF      #MPDLJOHSBUFEFDSFBTFETPNVDI
  4. *TTVFT  .BOBHF/HJOYDPOpHVSBUJPOTXJUI"OTJCMF TUBUJD  'PMMPXJOHTUFQTBSFSFRVJSFEUPVQEBUF*1 CMBDLMJTU  5BLFBUJNF 

    8BOUUPBWPJENBOVBMPQFSBUJPOBT QPTTJCMF  /PFBTFPGSPMMCBDL  %JGpDVMUUPXSJUFDPNQMJDBUFEMPHJD (PBM0QFSBUF*1CMBDLMJTUEZOBNJDBMMZ
  5.  "QQMJDBUJPO  4ZOD*1CMBDLMJTUDPOGJHVSBUJPO XJUI$FOUSBM%PHNB  6QEBUFJQCMBDLMJTUDPOG  .POJUPSJOH4DSJQU 

    .POJUPSJQCMBDLMJTUDPOGGPS DIBOHFT  *GDIBOHFE SFMPBET/HJOY  /HJOY  #MPDLSFRVFTUT 0WFSWJFX
  6. ˔1SPT  6QEBUF*1CMBDLMJTUJOOFBSMZSFBMUJNF  -PXFSMBUFODZ  -PXFSSFTPVSDFDPOTVNQUJPO  )JHIPOMZXIFOVQEBUJOH*1CMBDLMJTU ˔$POT

     -PXFSNBJOUBJOBCJMJUZ  )BSEUPNPOJUPSTUBUFBOEMPHT  /FFEUPTFUQFSNJTTJPOUPSFMPBE/HJOY  $BOOPUCFVTFEGPSPUIFSTFSWJDFTUIBU EPO`UDPOTJTUPGCPUI/HJOYBOE "QQMJDBUJPO 1SPTWT$POT
  7.  "QQMJDBUJPO  4ZOD*1CMBDLMJTUDPOpHVSBUJPO XJUI$FOUSBM%PHNB  1SPWJEFBO"1*  /HJOY -VB

     6QEBUF*1CMBDLMJTUQFSJPEJDBMMZ  7BMJEBUFSFRVFTUT 0WFSWJFX
  8.  -VB  l-VBJTBQPXFSGVM FGGJDJFOU MJHIUXFJHIU FNCFEEBCMFTDSJQUJOHMBOHVBHF*U TVQQPSUTQSPDFEVSBMQSPHSBNNJOH PCKFDUPSJFOUFEQSPHSBNNJOH GVODUJPOBM

    QSPHSBNNJOH EBUBESJWFOQSPHSBNNJOH BOEEBUBEFTDSJQUJPOz<>  $IPTF-VBTDSJQUJOHUPJNQMFNFOUEZOBNJD*1CMBDLMJTU MPHJDXJUIJO/HJOY  0QFO3FTUZ  l0QFO3FTUZšJTBGVMMGMFEHFEXFCQMBUGPSNUIBUJOUFHSBUFTPVSFOIBODFE WFSTJPOPGUIF/HJOYDPSF PVSFOIBODFEWFSTJPOPG-VB+*5 NBOZDBSFGVMMZ XSJUUFO-VBMJCSBSJFT MPUTPGIJHIRVBMJUZSEQBSUZ/HJOYNPEVMFT BOENPTU PGUIFJSFYUFSOBMEFQFOEFODJFTz<>  *OUSPEVDFEBMPOHTJEF-VBUPFYUFOE/HJOYDBQBCJMJUJFT  <>IUUQTXXXMVBPSH  <>IUUQTPQFOSFTUZPSHFO 8IBU`T-VB BOE0QFO3FTUZ
  9.  4UPSF*1CMBDLMJTUDPOGJHVSBUJPOT • JQCMBDLMJTU • IBTI  $BMMJQCMBDLMJTU"1*XJUIIBTI  (FUUIFDPOGJHVSBUJPO

    B *GMVB@IBTIBQQ@IBTIOPUIJOHUP EP C *GMVB@IBTIBQQ@IBTIVQEBUF DBDIF -VBTDSJQU6QEBUF*1CMBDLMJTU QFSJPEJDBMMZ
  10.  4UPSF*1CMBDLMJTUDPOGJHVSBUJPOT • JQCMBDLMJTU • IBTI  $BMMJQCMBDLMJTU"1*XJUIIBTI  (FUUIFDPOGJHVSBUJPO

    B *GMVB@IBTIBQQ@IBTIOPUIJOHUP EP C *GMVB@IBTIBQQ@IBTIVQEBUF DBDIF -VBTDSJQU6QEBUF*1CMBDLMJTU QFSJPEJDBMMZ ᶃ
  11.  4UPSF*1CMBDLMJTUDPOGJHVSBUJPOT • JQCMBDLMJTU • IBTI  $BMMJQCMBDLMJTU"1*XJUIIBTI  (FUUIFDPOGJHVSBUJPO

    B *GMVB@IBTIBQQ@IBTIOPUIJOHUP EP C *GMVB@IBTIBQQ@IBTIVQEBUF DBDIF -VBTDSJQU6QEBUF*1CMBDLMJTU QFSJPEJDBMMZ ᶄ
  12.  4UPSF*1CMBDLMJTUDPOGJHVSBUJPOT • JQCMBDLMJTU • IBTI  $BMMJQCMBDLMJTU"1*XJUIIBTI  (FUUIFDPOGJHVSBUJPO

    B *GMVB@IBTIBQQ@IBTIOPUIJOHUP EP C *GMVB@IBTIBQQ@IBTIVQEBUF DBDIF -VBTDSJQU6QEBUF*1CMBDLMJTU QFSJPEJDBMMZ ᶅ
  13.  4UPSF*1CMBDLMJTUDPOpHVSBUJPOT • JQCMBDLMJTU • IBTI  $BMMJQCMBDLMJTU"1*XJUIIBTI  (FUUIFDPOpHVSBUJPO

    B *GMVB@IBTIBQQ@IBTIOPUIJOHUP EP C *GMVB@IBTIBQQ@IBTIVQEBUF DBDIF 3VOUIJTqPXQFSJPEJDBMMZBTBUJNFS -VBTDSJQU6QEBUF*1CMBDLMJTU QFSJPEJDBMMZ
  14. -VBTDSJQU6QEBUF*1CMBDLMJTU QFSJPEJDBMMZ  4UPSF*1CMBDLMJTUDPOGJHVSBUJPOT • JQCMBDLMJTU • IBTI  $BMMJQCMBDLMJTU"1*XJUIIBTI

     (FUUIFDPOGJHVSBUJPO B *GMVB@IBTIBQQ@IBTIOPUIJOHUP EP C *GMVB@IBTIBQQ@IBTIVQEBUF DBDIF
  15.  3FDFJWFBSFRVFTU  +VEHFUIFDMJFOU*1BEESFTTJTJO DBDIFE*1CMBDLMJTU B :FTSFUVSOT /P3FTQPOTF <> C

    /PQSPYJFTUIFSFRVFTUUP BQQMJDBUJPO - [6] https://nginx.org/en/docs/http/request_processing.html -VBTDSJQU7BMJEBUFSFRVFTUT
  16.  3FDFJWFBSFRVFTU  +VEHFUIFDMJFOU*1BEESFTTJTJO DBDIFE*1CMBDLMJTU B :FTSFUVSOT /P3FTQPOTF <> C

    /PQSPYJFTUIFSFRVFTUUP BQQMJDBUJPO - [6] https://nginx.org/en/docs/http/request_processing.html -VBTDSJQU7BMJEBUFSFRVFTUT ᶃ
  17.  3FDFJWFBSFRVFTU  +VEHFUIFDMJFOU*1BEESFTTJTJO DBDIFE*1CMBDLMJTU B :FTSFUVSOT /P3FTQPOTF <> C

    /PQSPYJFTUIFSFRVFTUUP BQQMJDBUJPO - [6] https://nginx.org/en/docs/http/request_processing.html -VBTDSJQU7BMJEBUFSFRVFTUT ᶄ
  18. -VBTDSJQU7BMJEBUFSFRVFTUT  3FDFJWFBSFRVFTU  +VEHFUIFDMJFOU*1BEESFTTJTJO DBDIFE*1CMBDLMJTU B :FTSFUVSOT /P3FTQPOTF <>

    C /PQSPYJFTUIFSFRVFTUUP BQQMJDBUJPO - [6] https://nginx.org/en/docs/http/request_processing.html
  19. ˔1SPT  6QEBUF*1CMBDLMJTUJOOFBSMZSFBMUJNF  -PXFSMBUFODZ  -PXFSSFTPVSDFDPOTVNQUJPO  )JHIFSNBJOUBJOBCJMJUZ 

    3FVTBCMFBDSPTT/HJOYCBTFETFSWJDFT ˔$POT  /FFEUPSFQMBDFUIFFYJTUJOH/HJOY XJUI0QFO3FTUZ  /FFEUPMFBSO-VB 1SPTWT$POT
  20.  $166TBHF  -PXFWFOVOEFSIJHISFRVFTUMPBE  .FNPSZ6TBHF  /PTJHOJGJDBOUDIBOHF  -BUFODZ

     5PCFDPNQBSFEXJUIPUIFSSFTVMUT MBUFS 3FTVMU/HJOYMBZFSCMPDLJOHXJUIHFPNPEVMF
  21.  $166TBHF  *ODSFBTFETJHOJGJDBOUMZVOEFSIJHI SFRVFTUMPBE  .FNPSZ6TBHF  )JHIFSPWFSBMMNFNPSZVTBHFEVF UPMPBEJOHBCMBDLMJTUJOUPB

    4FU4USJOHJO"QQMJDBUJPO  -BUFODZ  "MNPTUTBNFBT/HJOY 3FTVMU"QQMJDBUJPOMBZFSCMPDLJOHXJUI"SNFSJB EFDPSBUPS
  22.  $166TBHF  -PXFWFOVOEFSIJHISFRVFTU MPBE  .FNPSZ6TBHF  .PTUMZTUBCMFEVSJOHUFTUJOH 

    4MJHIUJODSFBTFPCTFSWFEXIFO MPBEJOHUIFCMBDLMJTU  -BUFODZ  "MNPTUTBNFBTPUIFST 3FTVMU/HJOYMBZFSCMPDLJOHXJUI-VBTDSJQU
  23.  4UFQT  $SFBUFBQQSPWF13  $VUBOFXSFMFBTFCSBODI  "OOPVODFPQTJO4MBDL  3VO"OTJCMFQMBZCPPL

     3FMPBESFTUBSU/HJOY  1BJO1PJOUT  &BDIVQEBUFUBLFTBMPOHUJNF  .BOZUPVDIQPJOUTˠIVNBOFSSPSSJTL  3PMMCBDLSFQFBUUIFXIPMFGMPX  OHJOYDPOGDBO`UIBOEMFDPNQMFYMPHJD #FGPSFr4UBUJD"OTJCMF'MPX
  24.  4UFQT  $SFBUFBQQSPWF13  %POFVQEBUF  (BJOT  &OUJSFDZDMFVOEFSBGFXNJOVUFT

    OP "OTJCMF  3PMMCBDL13SFWFSU BVUPBQQMJFE  -VBFOBCMFTSJDI EZOBNJDSVMFT "GUFSr%ZOBNJD/HJOY -VB'MPX /FXCMBDLMJTUJTBQQMJFEXJUIJONJOVUFT
  25. $PODMVTJPO  (PBM0QFSBUF*1CMBDLMJTUEZOBNJDBMMZ  "EPQUFE/HJOY -VB  8IZ  3FBMUJNFCMBDLMJTUVQEBUFT

     -PXMBUFODZSFTPVSDFVTBHF  #BTFEPOCFODINBSLSFTVMUT  )JHINBJOUBJOBCJMJUZ  &BTZUPFYUFOEUPPUIFS/HJOYTFSWJDFT