DDoS攻撃との終わりなき戦い/endless_battle_with_ddos_attack

 DDoS攻撃との終わりなき戦い/endless_battle_with_ddos_attack

* PHPConference Fukuoka 2018 (http://phpcon.fukuoka.jp/2018/)
* Youtube "Endless battle with ddos attack" (https://www.youtube.com/watch?v=EgeYTfynf68)

22522e2bc35255ab75308c399ff782f6?s=128

Takuma Kume

June 16, 2018
Tweet

Transcript

  1. ٱถ୓അ / GMO Pepabo, Inc. 2018.06.16 PHPΧϯϑΝϨϯε෱Ԭ %%P4߈ܸͱͷऴΘΓͳ͖ઓ͍

  2. (.0ϖύϘΠϯϑϥΤϯδχΞ ٱถ୓അ@takumakume phpinfo() ޷͖ͳ1)1ͷؔ਺

  3. %%P4߈ܸͱ͸ʁ

  4. ΢ΣϒαʔϏε͕Քಇ͍ͯ͠Δαʔό΍ωοτϫʔΫ΁ େྔͷϦΫΤετ΍ڊେͳσʔλΛૹΓ͚ͭΔͳͲͯ͠ αʔϏεΛར༻ෆೳʹ͢Δ wikipedia   %P4߈ܸ

  5. %P4߈ܸΛେྔͷϚγϯ͔ΒͭͷαʔϏεʹ࢓ֻ͚Δ wikipedia   %%P4߈ܸ

  6. %P4߈ܸΛେྔͷϚγϯ͔ΒͭͷαʔϏεʹ࢓ֻ͚Δ wikipedia   %%P4߈ܸ ߈ܸن໛͕େ͖͍ ෳ਺ͷ*1ΞυϨε͔ΒདྷΔͨΊ੍ޚͮ͠Β͍

  7. wϫϯίΠϯ͔Β%%P4߈ܸ͕Ͱ͖ΔαʔϏε͕ଘࡏ wߴߍੜ͕%%P4߈ܸʹΑΓݕڍ w࠷ۙఠൃ͞Εͨwebstresserͱ͍͏αʔϏε wར༻ऀɹɿສઍਓ w߈ܸճ਺ɿສճ wར༻ྉۚɿԁ͘Β͍͔Β ࡢࠓͷ%%P4߈ܸࣄ৘ ୭Ͱ΋खܰʹ%%P4߈ܸ͕Ͱ͖Δ࣌୅  

  8. Πϯλʔωοτ্Ͱ αʔϏεΛఏڙ͍ͯ͠ΔํͳΒ Ұ౓͘Β͍%%P4߈ܸͷܦݧ ͋Γ·͢ΑͶʁ

  9.   ຊ೔͸ɺ%%P4߈ܸʹର͢Δ ͰͷऔΓ૊ΈΛ঺հ͠·͢ʂ

  10. wલఏɿγεςϜߏ੒ͱ%%P4߈ܸͷӨڹ w՝୊ɿ%%P4߈ܸ΁ͷݱঢ়ͷରԠͱ՝୊ w࣮૷ɿࣗಈԽʹΑΔ%%P4߈ܸͷରԠ w·ͱΊ ໨࣍  

  11. લఏ ՝୊ ࣮૷ γεςϜߏ੒ͱ %%P4߈ܸͷӨڹ

  12. None
  13. ֹ݄ԁ͔Βར༻Ͱ͖Δʂ

  14. ֹ݄ԁ͔Βར༻Ͱ͖Δʂ ඵؒ໿ສઍϦΫΤετΛॲཧʂ

  15. ֹ݄ԁ͔Βར༻Ͱ͖Δʂ ສαΠτҎ্ӡ༻தʂ ඵؒ໿ສઍϦΫΤετΛॲཧʂ

  16. γεςϜߏ੒  

  17. σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα ϦόʔεϓϩΩγ Πϯλʔωοτ 8&#αʔό 8&#αʔό 8&#αʔό

      ϦόʔεϓϩΩγ
  18. σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα ϦόʔεϓϩΩγ Πϯλʔωοτ 8&#αʔό 8&#αʔό 8&#αʔό

      ϦόʔεϓϩΩγ σʔληϯλʔΛआΓͯ ΦϯϓϨϛεͰ ߏங͍ͯ͠Δ
  19. σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϦόʔεϓϩΩγ Πϯλʔωοτ 8&#αʔό 8&#αʔό 8&#αʔό 

     ϦόʔεϓϩΩγ ϩʔυόϥϯα άϩʔόϧωοτϫʔΫ
  20. σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϦόʔεϓϩΩγ Πϯλʔωοτ 8&#αʔό 8&#αʔό 8&#αʔό 

     ϦόʔεϓϩΩγ *1 *1 *1 *1 ϩʔυόϥϯα άϩʔόϧ*1ΞυϨε͕ ݸ΄Ͳ -74 -JOVY7JSUVBM4FSWFS  ͷػೳͰ͋Δ*174Λ࢖ͬͨ-#
  21. σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα ϦόʔεϓϩΩγ Πϯλʔωοτ 8&#αʔό 8&#αʔό 8&#αʔό

      ϦόʔεϓϩΩγ αΠτ αΠτ αΠτ αΠτ αΠτ αΠτ αΠτ αΠτ αΠτ ୆͋ͨΓ਺ઍαΠτ ͓٬༷ͷίϯςϯπΛॲཧ͢Δ
  22. σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα ϦόʔεϓϩΩγ Πϯλʔωοτ 8&#αʔό 8&#αʔό 8&#αʔό

      ϦόʔεϓϩΩγ αΠτ αΠτ αΠτ *1 άϩʔόϧ*1͋ͨΓ ୆ͷ8&#αʔό άϩʔόϧ*1͋ͨΓ ਺ઍαΠτ
  23.   %%P4߈ܸͷӨڹ

  24. σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα ϦόʔεϓϩΩγ Πϯλʔωοτ 8&#αʔό 8&#αʔό 8&#αʔό

      ϦόʔεϓϩΩγ *1 %%P4߈ܸ ߈ܸର৅
  25. σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα ϦόʔεϓϩΩγ Πϯλʔωοτ 8&#αʔό 8&#αʔό 8&#αʔό

      ϦόʔεϓϩΩγ *1 %%P4߈ܸ ߈ܸର৅ େྔͷτϥϑΟοΫʹΑΓ෺ཧతͳ ωοτϫʔΫଳҬ͕ຒ·ͬͯ͠·͍ ௨ৗͷΞΫηε͕େ͖͘஗Ԇ͢Δ ⾨͜͜ͱ͔ ⾨͜͜
  26.   Ϩϯλϧαʔόʹ͓͚Δ %%P4߈ܸ

  27. Ϩϯλϧαʔόʹ͓͚Δ%%P4߈ܸ 8&#αʔό 8&#αʔό 8&#αʔό  αΠτ αΠτ αΠτ αΠτ αΠτ

    αΠτ αΠτ αΠτ αΠτ ଟछଟ༷ͳɺສҎ্ͷαΠτ ߈ܸͷඪతʹͳΔϦεΫ͕ߴ͍  
  28. Ϩϯλϧαʔόʹ͓͚Δ%%P4߈ܸ ͲͷαΠτʹର͢Δ߈ܸͳͷ͔෼͔Γʹ͍͘ ͷͰରԠ͠ʹ͍͘ ϩʔυόϥϯα 8&#αʔό 8&#αʔό 8&#αʔό  αΠτ αΠτ

    αΠτ *1 *1ΞυϨε͋ͨΓ਺ઍαΠτ
  29. Ϩϯλϧαʔόʹ͓͚Δ%%P4߈ܸ ߈ܸͷେ൒͸)551ϓϩτίϧͰ͸ͳ͍ͷͰ υϝΠϯ໊ͷ৘ใ͸ಘΒΕͳ͍ ϩʔυόϥϯα 8&#αʔό 8&#αʔό 8&#αʔό  αΠτ αΠτ

    αΠτ *1 *1ΞυϨε͋ͨΓ਺ઍαΠτ
  30. ՝୊ લఏ ࣮૷ %%P4߈ܸ΁ͷ ݱঢ়ͷରԠͱ՝୊

  31.   %%P4߈ܸΛͭʹ෼ྨ

  32. தن໛%%P4߈ܸ   w αʔϏεͷܧଓʹӨڹΛ༩͑Δɻ w %$಺ͷଞςφϯτͷαʔϏεʹӨڹͳ͠ɻ σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον

    ήʔτ΢ΣΠεΠον ϩʔυόϥϯα Πϯλʔωοτ %%P4߈ܸ ଞςφϯτ ଳҬ͕ຒ·ͬͨ
  33. େن໛%%P4߈ܸ   σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα Πϯλʔωοτ %%P4߈ܸ

    ଞςφϯτ ଳҬ͕ຒ·ͬͨ w αʔϏεͷܧଓʹӨڹΛ༩͑Δɻ w %$಺ͷଞςφϯτͷαʔϏεʹӨڹ͋Γɻ
  34.   ͦΕͧΕͷରԠํ๏

  35. தن໛%%P4߈ܸ   σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα Πϯλʔωοτ %%P4߈ܸ

    ଞςφϯτ ଳҬ͕ຒ·ͬͨ
  36. தن໛%%P4߈ܸ   σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα Πϯλʔωοτ %%P4߈ܸ

    ଞςφϯτ ଳҬΛ֬อʂ %%P4ରࡦػث ःஅ w %%P4ରࡦػثΛಋೖ w ߈ܸͷύλʔϯʹ߹கͨ͠৔߹ʹ௨৴Λ ःஅ w αʔϏε༻ͷωοτϫʔΫଳҬΛ֬อ
  37. େن໛%%P4߈ܸ   σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα Πϯλʔωοτ %%P4߈ܸ

    ଞςφϯτ ଳҬ͕ຒ·ͬͨ
  38. େن໛%%P4߈ܸ   σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα Πϯλʔωοτ %%P4߈ܸ

    ଞςφϯτ ଳҬ͕ຒ·ͬͨ %%P4ରࡦػث w %%P4ରࡦػث͕͋ͬͯ΋σʔληϯλʔ಺ ͷωοτϫʔΫଳҬ͕ຒ·Δͱҙຯ͕ͳ͍
  39. େن໛%%P4߈ܸ   σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα Πϯλʔωοτ %%P4߈ܸ

    ଞςφϯτ ଳҬΛ֬อ w %$ࣄۀऀ͸߈ܸର৅*1ΞυϨεΛϒ ϥοΫϗʔϧϧʔςΟϯά͢Δ w ߈ܸର৅ͷ*1ΞυϨεͷ௨৴ܦ࿏Λ ۂ͛ͯτϥϑΟοΫΛࣺͯΔ w %$಺ͷଳҬΛ֬อ
  40. େن໛%%P4߈ܸ   σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα Πϯλʔωοτ %%P4߈ܸ

    ଞςφϯτ ଳҬΛ֬อ w %$ࣄۀऀ͸߈ܸର৅*1ΞυϨεΛϒϩοΫ ϗʔϧϧʔςΟϯά͢Δ w *1ΞυϨεͷ௨৴ܦ࿏Λۂ͛ͯτϥϑΟοΫ ΛࣺͯΔ w %$಺ͷଳҬΛ֬อ ͜ͷରԠ͕൵ܶΛੜΉ
  41. σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα Πϯλʔωοτ 8&#αʔό 8&#αʔό 8&#αʔό 

    αΠτ αΠτ αΠτ *1 େن໛%%P4߈ܸ ߈ܸର৅ ʙ 8&#αʔό αΠτ αΠτ αΠτ *1 ϩʔυόϥϯα άϩʔόϧ*1͋ͨΓ ୆ͷ8&#αʔό άϩʔόϧ*1͋ͨΓ ਺ઍαΠτ
  42. σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα Πϯλʔωοτ 8&#αʔό 8&#αʔό 8&#αʔό 

    αΠτ αΠτ αΠτ *1 େن໛%%P4߈ܸ ߈ܸର৅ ʙ 8&#αʔό αΠτ αΠτ αΠτ *1 ϒϥοΫϗʔϧϧʔςΟϯά͞Εͨ*1ΞυϨεʹ ඥͮ͘αΠτ͕Πϯλʔωοτ͔Β࢟Λফ͢ ϩʔυόϥϯα
  43. σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον Πϯλʔωοτ 8&#αʔό 8&#αʔό 8&#αʔό  αΠτ

    αΠτ αΠτ *1 େن໛%%P4߈ܸ *1 ʙ ༨৒ͷผ*1ΞυϨεʹ෇͚ସ͑Δ ϩʔυόϥϯα
  44. *1ΞυϨεͷ෇͚ସ͑ͷྲྀΕ ϒϥοΫϗʔϧϧʔςΟϯά࣌ʹ%$͔ΒΦϯίʔϧΛड͚Δ γεςϜͷ%#ͱϩʔυόϥϯαʔΛൺֱۭ͖͠*1ΞυϨεΛ୳͢ γεςϜͷ%#ʹ࢖͍ͬͯΔ*1ΞυϨε͕͋Γɺϩʔυόϥϯαʔʹۭ͖ΛؚΉ ͢΂ͯͷ*1ΞυϨε͕*174Ͱ෇༩͞Ε͍ͯΔɻ γεςϜͷ%#ΛΞοϓσʔτ͢Δ ϒϥοΫϗʔϧϧʔςΟϯά͞Εͨ*1ΞυϨεΛ৽͍͠*1ΞυϨεʹ6QEBUFɻ

  45. σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον Πϯλʔωοτ 8&#αʔό 8&#αʔό 8&#αʔό  αΠτ

    αΠτ αΠτ *1 *1 ʙ ϩʔυόϥϯα ΞΫηε
  46. *1ΞυϨεͷ෇͚ସ͑ͷ՝୊   Φϯίʔϧ΍ॏཁίϯϙʔωϯτͷૢ࡞͸࡞ۀऀ΁ͷετϨε खಈͰ͸ΦϖϨʔγϣϯϛε͕ൃੜ͢ΔϦεΫ͕͋Δ Φϯίʔϧ͔ΒରԠ׬ྃ·Ͱ਺ઍͷαΠτ͕ఀࢭ͢Δ

  47. *1ΞυϨεͷ෇͚ସ͑ͷ՝୊   Φϯίʔϧ΍ॏཁίϯϙʔωϯτͷૢ࡞͸࡞ۀऀ΁ͷετϨε खಈͰ͸ΦϖϨʔγϣϯϛε͕ൃੜ͢ΔϦεΫ͕͋Δ ࣗಈԽ΁ Φϯίʔϧ͔ΒରԠ׬ྃ·Ͱ਺ઍͷαΠτ͕ఀࢭ͢Δ

  48. ࣮૷ લఏ ՝୊ ࣗಈԽʹΑΔ %%P4߈ܸͷରԠ

  49.   ϒϥοΫϗʔϧϧʔςΟϯά࣌ʹ%$͔ΒΦϯίʔϧΛड͚Δ γεςϜͷ%#ͱϩʔυόϥϯαʔΛൺֱۭ͖͠*1ΞυϨεΛ୳͢ γεςϜͷ%#ΛΞοϓσʔτ͢Δ

  50.   ϒϥοΫϗʔϧϧʔςΟϯά࣌ʹ%$͔ΒΦϯίʔϧΛड͚Δ γεςϜͷ%#ͱϩʔυόϥϯαʔΛൺֱۭ͖͠*1ΞυϨεΛ୳͢ γεςϜͷ%#ΛΞοϓσʔτ͢Δ Πϯλʔωοτ͔Β*1ΞυϨεͷૄ௨ੑ͕ࣦΘΕΔ͜ͱΛνΣοΫ͢Δ

  51. ࣮૷ʹ͓͚Δ஫ҙ఺ σʔληϯλʔ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα Πϯλʔωοτ αʔό *1 Πϯλʔωοτ͔Βͷ ೖΓޱΛ੍ޚ͢Δ

    %$಺͔ΒͰ͸ϒϥοΫϗʔϧϧʔςΟϯάʹؾ͚ͮͳ͍
  52. %$಺͔ΒͰ͸ϒϥοΫϗʔϧϧʔςΟϯάʹؾ͚ͮͳ͍ σʔληϯλʔ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα Πϯλʔωοτ αʔό *1 σʔληϯλʔ֎͔Β νΣοΫ͢Δඞཁ͕͋Δ

  53. νΣοΧʔ ࣗಈԽ ΞϓϦέʔγϣϯ σʔληϯλʔ಺ ผσʔληϯλʔ ϩʔυόϥϯα *1 ᶄ ᶃ ᶅ

    1JOHΛ࣮ߦ ݁ՌΛฦ٫ νΣοΫΛґཔ
  54. νΣοΧʔ ࣗಈԽ ΞϓϦέʔγϣϯ σʔληϯλʔ಺ ผσʔληϯλʔ ϩʔυόϥϯα *1 ᶄ ᶃ ᶅ

    1JOHΛ࣮ߦ ݁ՌΛฦ٫ νΣοΫΛґཔ ൚༻ੑͷߴ͍ΠϯλʔϑΣΠε ʹͯ͠ɺผͷ༻్Ͱ΋࢖͑Δ Α͏ʹ͍ͨ͠ɻ
  55. νΣοΧʔ ࣗಈԽ ΞϓϦέʔγϣϯ σʔληϯλʔ಺ ผσʔληϯλʔ ϩʔυόϥϯα *1 ᶄ ᶃ ᶅ

    νΣοΫΛґཔ 1JOHΛ࣮ߦ ݁ՌΛฦ٫ /icmp?ipaddr=X.X.X.X&timeout=3&max_tries=5 { "status" : true, "error" : "" } 8FC"1*
  56. νΣοΧʔ nginx ngx_mruby mruby script HttpRequest JSON mruby-fast-remote-check /icmp?ipaddr=X.X.X.X {

    "status" : true, "error" : "" } ϩʔυόϥϯα *1ΞυϨε Ping
  57. • ngx_mruby wฐࣾͷ!NBUTVNPUPSZ͕։ൃ͍ͯ͠Δ wOHJOYʹ૊ΈࠐΉ͜ͱͰɺϓϩηεͷىಈ΍ϦΫΤετ ͷλΠϛϯάΛܖػʹNSVCZͷεΫϦϓτΛ࣮ߦͰ͖Δ wNSVCZ૊ΈࠐΈ޲͚ͷܰྔ3VCZ • mruby-fast-remote-check wߴ଎ʹϙʔτͷ-JTUFOΛνΣοΫͨ͠Γɺ*$.1ͷνΣο Ϋ͕Ͱ͖ΔNSCHFN

    3VCZͰݴ͏HFN νΣοΧʔΛߏ੒͢Δओཁίϯϙʔωϯτ  
  58. location /icmp { mruby_content_handler_code ' # uri = Nginx::Request.new.unparsed_uri #

    Nginx.rputs RemoteChecker::ICMP.new(uri).execute '; } ࣮ࡍͷίʔυ ϦΫΤετͷURIΛऔಘ ICMPͷνΣοΫΛߦ͍ɺ݁ՌͷJSONΛϨεϙϯε͢Δ  
  59. location /icmp { mruby_content_handler_code ' # uri = Nginx::Request.new.unparsed_uri #

    Nginx.rputs RemoteChecker::ICMP.new(uri).execute '; } ࣮ࡍͷίʔυ ϦΫΤετͷURIΛऔಘ ICMPͷνΣοΫΛߦ͍ɺ݁ՌͷJSONΛϨεϙϯε͢Δ RemoteChecker::ICMP.new(uri).execute mruby-fast-remote-checkΛWebAPIͱͯ͠࢖͏ͨΊͷϥούʔΫϥε https://github.com/takumakume/mruby-remote-checker-api
  60. RemoteChecker::ICMP.new(uri).execute NSVCZSFNPUFDIFDLFSBQJ   ICMPͷνΣοΫ PortͷListenνΣοΫ RemoteChecker::Port.new(uri).execute

  61. location /icmp { mruby_content_handler_code ' uri = Nginx::Request.new.unparsed_uri Nginx.rputs RemoteChecker::ICMP.new(uri).execute';

    } NSVCZSFNPUFDIFDLFSBQJ location /port { mruby_content_handler_code ' uri = Nginx::Request.new.unparsed_uri Nginx.rputs RemoteChecker::Port.new(uri).execute'; } /icmp?ipaddr=X.X.X.X /port?ipaddr=X.X.X.X&port=80
  62. ߈ܸ͕ൃੜ͍ͯ͠ͳ͍ͷʹ ͪΒ΄Βμ΢ϯΛݕ஌͢Δ

  63. ࣗಈԽ ΞϓϦέʔγϣϯ νΣοΧʔ ϩʔυόϥϯα 1JOHΛ࣮ߦ νΣοΫΛґཔ *1 *1 *1 *1

    *1 ෳ਺ͷ*1ΞυϨεʹରͯ͠ಉ࣌ʹॲཧΛґཔ͢ΔͱҰ෦ࣦഊ͢Δ
  64. ࣗಈԽ ΞϓϦέʔγϣϯ νΣοΧʔ ϩʔυόϥϯα 1JOHΛ࣮ߦ νΣοΫΛґཔ *1 *1 *1 *1

    *1 ෳ਺ͷ*1ΞυϨεʹରͯ͠ಉ࣌ʹॲཧΛґཔ͢ΔͱҰ෦ࣦഊ͢Δ ϩʔυόϥϯα *1 νΣοΧʔ
  65. ϓϩηε X.X.X.X ʹ Ping X.X.X.X NIC

  66. ϓϩηε X.X.X.X ʹ Ping X.X.X.X NIC Request ICMP Echo Request

  67. ϓϩηε X.X.X.X ʹ Ping X.X.X.X socket socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) NIC

    Request ICMP Echo Request
  68. ϓϩηε X.X.X.X ʹ Ping X.X.X.X socket sendto NIC Request

  69. ϓϩηε X.X.X.X ʹ Ping X.X.X.X socket recv NIC Request ICMPύέοτΛ଴ͭ

    recv
  70. ϓϩηε X.X.X.X ʹ Ping X.X.X.X socket NIC Reply Reply recv

    ICMP Echo Reply
  71. ϓϩηε X.X.X.X ʹ Ping X.X.X.X socket NIC Reply Reply ICMPύέοτͷ

    ૹ৴ઌͱૹ৴ݩIPΞυϨε Λൺֱ (ݫີʹ͸ଞʹ΋৚݅͋Γ) ↓ ಉ͡ͳΒtrue ICMP Echo Reply
  72. ࣗಈԽ ΞϓϦέʔγϣϯ νΣοΧʔ ϩʔυόϥϯα 1JOHΛ࣮ߦ νΣοΫΛґཔ *1 *1 *1 *1

    *1 ෳ਺ͷ*1ΞυϨεʹରͯ͠ಉ࣌ʹॲཧΛґཔ͢ΔͱҰ෦ࣦഊ͢Δ ϩʔυόϥϯα *1 νΣοΧʔ *1
  73. ϓϩηε ϓϩηε X.X.X.X ʹ Ping Y.Y.Y.Y ʹ Ping X.X.X.X Y.Y.Y.Y

    NIC
  74. ϓϩηε ϓϩηε X.X.X.X ʹ Ping Y.Y.Y.Y ʹ Ping X.X.X.X Y.Y.Y.Y

    socket sendto NIC socket Request Request socket
  75. ϓϩηε ϓϩηε X.X.X.X ʹ Ping Y.Y.Y.Y ʹ Ping X.X.X.X Y.Y.Y.Y

    socket NIC socket Request Request recv recv recv
  76. ϓϩηε ϓϩηε X.X.X.X ʹ Ping Y.Y.Y.Y ʹ Ping X.X.X.X Y.Y.Y.Y

    socket NIC socket Reply recv recv
  77. ϓϩηε ϓϩηε X.X.X.X ʹ Ping Y.Y.Y.Y ʹ Ping X.X.X.X Y.Y.Y.Y

    socket NIC socket recv recv Reply Reply
  78.   raw socket ͸ɺ Linux ͷ͢΂ͯͷ IP ϓϩτίϧΛ ड৴͢Δ͜ͱ͕Ͱ͖Δɻ

    raw socket ͕ෳ਺͋Ε͹ͦΕͧΕʹ౉͞ΕΔɻ man raw(7)
  79. ϓϩηε ϓϩηε X.X.X.X ʹ Ping Y.Y.Y.Y ʹ Ping X.X.X.X Y.Y.Y.Y

    socket NIC socket recv recv Reply Reply X.X.X.X ͔ΒͷReply
  80. ϓϩηε ϓϩηε X.X.X.X ʹ Ping Y.Y.Y.Y ʹ Ping X.X.X.X Y.Y.Y.Y

    NIC socket recv recvΛϦτϥΠ
  81. ϓϩηε ϓϩηε X.X.X.X ʹ Ping Y.Y.Y.Y ʹ Ping X.X.X.X Y.Y.Y.Y

    NIC socket recv recvΛϦτϥΠ Reply
  82. ϓϩηε ϓϩηε X.X.X.X ʹ Ping Y.Y.Y.Y ʹ Ping X.X.X.X Y.Y.Y.Y

    NIC socket recv Reply Reply
  83. ϓϩηε ϓϩηε X.X.X.X ʹ Ping Y.Y.Y.Y ʹ Ping X.X.X.X Y.Y.Y.Y

    NIC socket recv Reply Reply
  84.   ϒϥοΫϗʔϧϧʔςΟϯά࣌ʹ%$͔ΒΦϯίʔϧΛड͚Δ γεςϜͷ%#ͱϩʔυόϥϯαʔΛൺֱۭ͖͠*1ΞυϨεΛ୳͢ γεςϜͷ%#ΛΞοϓσʔτ͢Δ Πϯλʔωοτ͔Β*1ΞυϨεͷૄ௨ੑ͕ࣦΘΕΔ͜ͱΛνΣοΫ͢Δ

  85.   ϒϥοΫϗʔϧϧʔςΟϯά࣌ʹ%$͔ΒΦϯίʔϧΛड͚Δ γεςϜͷ%#ͱϩʔυόϥϯαʔΛൺֱۭ͖͠*1ΞυϨεΛ୳͢ γεςϜͷ%#ΛΞοϓσʔτ͢Δ Πϯλʔωοτ͔Β*1ΞυϨεͷૄ௨ੑ͕ࣦΘΕΔ͜ͱΛνΣοΫ͢Δ SQL ???

  86. # ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot

    LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 203.0.113.1:443 rr -> 192.168.1.100:443 Route 1 1 0 -> 192.168.1.101:443 Route 1 1 0 -> 192.168.1.102:443 Route 1 1 0 TCP 203.0.113.2:443 rr -> 192.168.1.100:443 Route 1 1 0 -> 192.168.1.101:443 Route 1 1 0 -> 192.168.1.102:443 Route 1 1 0 : : ϩʔυόϥϯαʔͷ*1ΞυϨεऔಘ IPVSͷ؅ཧπʔϧ ipvsadm ίϚϯυͷ࣮ߦ݁Ռ
  87. # ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot

    LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 203.0.113.1:443 rr -> 192.168.1.100:443 Route 1 1 0 -> 192.168.1.101:443 Route 1 1 0 -> 192.168.1.102:443 Route 1 1 0 TCP 203.0.113.2:443 rr -> 192.168.1.100:443 Route 1 1 0 -> 192.168.1.101:443 Route 1 1 0 -> 192.168.1.102:443 Route 1 1 0 : : ϩʔυόϥϯαʔͷ*1ΞυϨεऔಘ IPVSͷ؅ཧπʔϧ ipvsadm ίϚϯυͷ࣮ߦ݁Ռ ͜ͷ*1ΛΞυϨε΁ͷΞΫηεΛ ͜ͷ*1ΞυϨε΁సૹ͢Δ
  88. # ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot

    LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 203.0.113.1:443 rr -> 192.168.1.100:443 Route 1 1 0 -> 192.168.1.101:443 Route 1 1 0 -> 192.168.1.102:443 Route 1 1 0 TCP 203.0.113.2:443 rr -> 192.168.1.100:443 Route 1 1 0 -> 192.168.1.101:443 Route 1 1 0 -> 192.168.1.102:443 Route 1 1 0 : : ϩʔυόϥϯαʔͷ*1ΞυϨεऔಘ IPVSͷ؅ཧπʔϧ ipvsadm ίϚϯυͷ࣮ߦ݁Ռ 203.0.113.1 203.0.113.2 443 443 ͜ͷϙʔτͷ άϩʔόϧ*1ΞυϨεͷҰཡ͕ཉ͍͠ 8FCҎ֎ͷαʔϏε΋ڞଘ͍ͯ͠ΔͷͰ
  89. # ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot

    LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 203.0.113.1:443 rr -> 192.168.1.100:443 Route 1 1 0 -> 192.168.1.101:443 Route 1 1 0 -> 192.168.1.102:443 Route 1 1 0 TCP 203.0.113.2:443 rr -> 192.168.1.100:443 Route 1 1 0 -> 192.168.1.101:443 Route 1 1 0 -> 192.168.1.102:443 Route 1 1 0 : : ϩʔυόϥϯαʔͷ*1ΞυϨεऔಘ IPVSͷ؅ཧπʔϧ ipvsadm ίϚϯυͷ࣮ߦ݁Ռ 203.0.113.1 203.0.113.2 443 443 ͜ͷϙʔτͷ άϩʔόϧ*1ΞυϨεͷҰཡ͕ཉ͍͠ ϩʔυόϥϯαΛ΋ͬͱ ϓϩάϥϚϒϧʹѻ͍͍ͨ
  90. ࣗಈԽ ΞϓϦέʔγϣϯ ϩʔυόϥϯα ᶃ ᶄ /services [ { "proto": "TCP",

    "addr": "203.0.113.1", "port": 443, "sched_name": "rr", "dests": ["192.168.1.100", ..] }, : ] 8FC"1*
  91. ϩʔυόϥϯαʔ libipvs nginx ngx_mruby mruby-ipvs mruby script HttpRequest JSON /services

    [ { "proto": "TCP", "addr": "203.0.113.1", "port": 443, "sched_name": "rr", "dests": ["192.168.1.100", ..] }, : ]
  92. • ngx_mruby • mruby-ipvs w!SSSFFFZZZࢯ͕։ൃ͍ͯ͠ΔNSCHFN w*174Λ؅ཧ͢Δ͜ͱ͕Ͱ͖ΔNSVCZͷΠϯλʔϑΣΠε νΣοΧʔΛߏ੒͢Δओཁίϯϙʔωϯτ  

  93. location /services { mruby_content_handler_code ' # Nginx.rputs JSON.generate(IPVS.services.map(&:to_h)) '; }

    ίʔυ͸͜Ε͚ͩ IPVSͷαʔϏεҰཡΛऔಘͯ͠JSONʹ͠ɺNginxͰϨεϙϯε͢Δɻ
  94.   ϒϥοΫϗʔϧϧʔςΟϯά࣌ʹ%$͔ΒΦϯίʔϧΛड͚Δ γεςϜͷ%#ͱϩʔυόϥϯαʔΛൺֱۭ͖͠*1ΞυϨεΛ୳͢ γεςϜͷ%#ΛΞοϓσʔτ͢Δ Πϯλʔωοτ͔Β*1ΞυϨεͷૄ௨ੑ͕ࣦΘΕΔ͜ͱΛνΣοΫ͢Δ

  95. ࣗಈԽ ΞϓϦέʔγϣϯ νΣοΧʔ ϩʔυόϥϯα γεςϜ%# ᶃ ࢖༻த*1ΞυϨε ҰཡΛऔಘ

  96. ࣗಈԽ ΞϓϦέʔγϣϯ νΣοΧʔ ϩʔυόϥϯα γεςϜ%# ᶃ ᶄ ࢖༻த*1ΞυϨε ҰཡΛऔಘ *1ΞυϨεͷ

    νΣοΫΛґཔ ᶄ 1*/( *1
  97. ࣗಈԽ ΞϓϦέʔγϣϯ νΣοΧʔ ϩʔυόϥϯα γεςϜ%# ᶃ ᶄ ᶅ ࢖༻த*1ΞυϨε ҰཡΛऔಘ

    *1ΞυϨεͷ νΣοΫΛґཔ *1ΞυϨεͷ νΣοΫ݁ՌΛฦ٫ ᶄ 1*/( *1
  98. ࣗಈԽ ΞϓϦέʔγϣϯ νΣοΧʔ ϩʔυόϥϯα γεςϜ%# ᶃ ᶄ ᶅ ᶆ ࢖༻த*1ΞυϨε

    ҰཡΛऔಘ *1ΞυϨεͷ νΣοΫΛґཔ *1ΞυϨεͷ νΣοΫ݁ՌΛฦ٫ ૄ௨͠ͳ͍*1ΞυϨε͕͋Ε͹ᶇ΁
  99. ࣗಈԽ ΞϓϦέʔγϣϯ νΣοΧʔ ϩʔυόϥϯα γεςϜ%# ᶃ ᶄ ᶅ ᶆ ᶇ

    ࢖༻த*1ΞυϨε ҰཡΛऔಘ *1ΞυϨεͷ νΣοΫΛґཔ *1ΞυϨεͷ νΣοΫ݁ՌΛฦ٫ ૄ௨͠ͳ͍*1ΞυϨε͕͋Ε͹ᶇ΁ ͢΂ͯͷ*1ΞυϨεҰཡΛऔಘ
  100. ࣗಈԽ ΞϓϦέʔγϣϯ νΣοΧʔ ϩʔυόϥϯα γεςϜ%# ᶃ ᶄ ᶅ ᶆ ᶇ

    ᶈ ࢖༻த*1ΞυϨε ҰཡΛऔಘ *1ΞυϨεͷ νΣοΫΛґཔ *1ΞυϨεͷ νΣοΫ݁ՌΛฦ٫ ૄ௨͠ͳ͍*1ΞυϨε͕͋Ε͹ᶇ΁ ͢΂ͯͷ*1ΞυϨεҰཡΛऔಘ ͢΂ͯͷ*1࢖༻தͷ*1 ۭ͖*1ΞυϨε
  101. ࣗಈԽ ΞϓϦέʔγϣϯ νΣοΧʔ ϩʔυόϥϯα γεςϜ%# ᶃ ᶄ ᶅ ᶆ ᶇ

    ᶈ ᶉ ࢖༻த*1ΞυϨε ҰཡΛऔಘ *1ΞυϨεͷ νΣοΫΛґཔ *1ΞυϨεͷ νΣοΫ݁ՌΛฦ٫ ૄ௨͠ͳ͍*1ΞυϨε͕͋Ε͹ᶇ΁ ͢΂ͯͷ*1ΞυϨεҰཡΛऔಘ ͢΂ͯͷ*1࢖༻தͷ*1 ۭ͖*1ΞυϨε %#ͷΞοϓσʔτ
  102. ·ͱΊ

  103. લఏɿγεςϜߏ੒ͱ%%P4߈ܸͷӨڹ w खܰʹ%%P4߈ܸ͕Ͱ͖ΔΑ͏ʹͳͬͨࡢࠓɺϨϯαόۀքͰ΋ྫ֎ͳ ͘߈ܸ͕དྷ͍ͯͯαʔϏεʹӨڹΛٴ΅͍ͯ͠Δɻ w αʔϏε͕େن໛ʹͳΔ΄ͲαΠτ਺͕૿͑ͯඪతʹͳΔϦεΫ͕ߴ͍ɻ

  104. લఏɿγεςϜߏ੒ͱ%%P4߈ܸͷӨڹ ՝୊ɿ%%P4߈ܸ΁ͷݱঢ়ͷରԠͱ՝୊ w %$ͷΩϟύγςΟΛ௒͑ΔϨϕϧͷେن໛ͳ߈ܸ͕ൃੜͨ͠৔߹ʹɺ ฐࣾͷ৔߹͸ϒϥοΫϗʔϧϧʔςΟϯά͞ΕΔͨΊखಈରԠ͕ඞཁɻ w खಈରԠͰ͸෮چ͕஗͍͠ɺετϨε౓͕ߴ͍ɻΦϖϛε΋͋ΓಘΔɻ w खܰʹ%%P4߈ܸ͕Ͱ͖ΔΑ͏ʹͳͬͨࡢࠓɺϨϯαόۀքͰ΋ྫ֎ͳ ͘߈ܸ͕དྷ͍ͯͯαʔϏεʹӨڹΛٴ΅͍ͯ͠Δɻ

    w αʔϏε͕େن໛ʹͳΔ΄ͲαΠτ਺͕૿͑ͯඪతʹͳΔϦεΫ͕ߴ͍ɻ
  105. લఏɿγεςϜߏ੒ͱ%%P4߈ܸͷӨڹ ՝୊ɿ%%P4߈ܸ΁ͷݱঢ়ͷରԠͱ՝୊ ࣮૷ɿࣗಈԽʹΑΔ%%P4߈ܸͷରԠ w %$ͷΩϟύγςΟΛ௒͑ΔϨϕϧͷେن໛ͳ߈ܸ͕ൃੜͨ͠৔߹ʹɺ ฐࣾͷ৔߹͸ϒϥοΫϗʔϧϧʔςΟϯά͞ΕΔͨΊखಈରԠ͕ඞཁɻ w खಈରԠͰ͸෮چ͕஗͍͠ɺετϨε౓͕ߴ͍ɻΦϖϛε΋͋ΓಘΔɻ w ϏδωεϩδοΫΛҰՕॴʹूதͤ͞ɺࣗಈԽΛࢧ͑Δίϯϙʔωϯτ

    ͸Ͱ͖Δ͚ͩ൚༻ੑΛߴ͘͢Δ͜ͱͰศརͰ؅ཧ͠΍͍͢Α͏ʹͨ͠ɻ w ൚༻ੑͷߴ͍ΠϯλʔϑΣΠεͱͯ͠+40/ϕʔεͷ8FC"1*Λ࣮૷͠ ͨɻOHY@NSVCZΛ࢖ͬͯ؆୯ʹ࡞Δ͜ͱ͕Ͱ͖ΔࣄྫΛ঺հͨ͠ɻ w खܰʹ%%P4߈ܸ͕Ͱ͖ΔΑ͏ʹͳͬͨࡢࠓɺϨϯαόۀքͰ΋ྫ֎ͳ ͘߈ܸ͕དྷ͍ͯͯαʔϏεʹӨڹΛٴ΅͍ͯ͠Δɻ w αʔϏε͕େن໛ʹͳΔ΄ͲαΠτ਺͕૿͑ͯඪతʹͳΔϦεΫ͕ߴ͍ɻ
  106. ͍͞͝ʹ

  107. %%P4߈ܸ ͷݕ஌͔Β෮چ·Ͱ͕ ଎͘ɺָʹͳ͚ͬͨͩ

  108. Πϯλʔωοτ্Ͱ αʔϏεΛఏڙ͠ଓ͚ΔݶΓ ߈ܸ͸ઈ͑ͣଓ͖·͢

  109. 1)1ͷίϯςϯπΛ कΔͨΊʹ ʮ%%P4߈ܸͱͷऴΘΓͳ͖ઓ͍ʯ Λଓ͚͍͖͍ͯͨͱࢥ͍·͢ʂ

  110. Ұॹʹઓ͏஥ؒΛืूதͰ͢ʂ ࠷৽ͷ࠾༻৘ใΛνΣοΫˠ !QC@SFDSVJU

  111. ͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ GMO Pepabo, inc. @takumakume