Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DDoS攻撃との終わりなき戦い/endless_battle_with_ddos_attack

 DDoS攻撃との終わりなき戦い/endless_battle_with_ddos_attack

* PHPConference Fukuoka 2018 (http://phpcon.fukuoka.jp/2018/)
* Youtube "Endless battle with ddos attack" (https://www.youtube.com/watch?v=EgeYTfynf68)

Takuma Kume

June 16, 2018
Tweet

More Decks by Takuma Kume

Other Decks in Technology

Transcript

  1. σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϦόʔεϓϩΩγ Πϯλʔωοτ 8&#αʔό 8&#αʔό 8&#αʔό 

     ϦόʔεϓϩΩγ *1 *1 *1 *1 ϩʔυόϥϯα άϩʔόϧ*1ΞυϨε͕ ݸ΄Ͳ -74 -JOVY7JSUVBM4FSWFS  ͷػೳͰ͋Δ*174Λ࢖ͬͨ-#
  2. σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα ϦόʔεϓϩΩγ Πϯλʔωοτ 8&#αʔό 8&#αʔό 8&#αʔό

      ϦόʔεϓϩΩγ αΠτ αΠτ αΠτ αΠτ αΠτ αΠτ αΠτ αΠτ αΠτ ୆͋ͨΓ਺ઍαΠτ ͓٬༷ͷίϯςϯπΛॲཧ͢Δ
  3. σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα ϦόʔεϓϩΩγ Πϯλʔωοτ 8&#αʔό 8&#αʔό 8&#αʔό

      ϦόʔεϓϩΩγ αΠτ αΠτ αΠτ *1 άϩʔόϧ*1͋ͨΓ ୆ͷ8&#αʔό άϩʔόϧ*1͋ͨΓ ਺ઍαΠτ
  4. σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα ϦόʔεϓϩΩγ Πϯλʔωοτ 8&#αʔό 8&#αʔό 8&#αʔό

      ϦόʔεϓϩΩγ *1 %%P4߈ܸ ߈ܸର৅ େྔͷτϥϑΟοΫʹΑΓ෺ཧతͳ ωοτϫʔΫଳҬ͕ຒ·ͬͯ͠·͍ ௨ৗͷΞΫηε͕େ͖͘஗Ԇ͢Δ ⾨͜͜ͱ͔ ⾨͜͜
  5. Ϩϯλϧαʔόʹ͓͚Δ%%P4߈ܸ 8&#αʔό 8&#αʔό 8&#αʔό  αΠτ αΠτ αΠτ αΠτ αΠτ

    αΠτ αΠτ αΠτ αΠτ ଟछଟ༷ͳɺສҎ্ͷαΠτ ߈ܸͷඪతʹͳΔϦεΫ͕ߴ͍  
  6. େن໛%%P4߈ܸ   σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα Πϯλʔωοτ %%P4߈ܸ

    ଞςφϯτ ଳҬ͕ຒ·ͬͨ w αʔϏεͷܧଓʹӨڹΛ༩͑Δɻ w %$಺ͷଞςφϯτͷαʔϏεʹӨڹ͋Γɻ
  7. தن໛%%P4߈ܸ   σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα Πϯλʔωοτ %%P4߈ܸ

    ଞςφϯτ ଳҬΛ֬อʂ %%P4ରࡦػث ःஅ w %%P4ରࡦػثΛಋೖ w ߈ܸͷύλʔϯʹ߹கͨ͠৔߹ʹ௨৴Λ ःஅ w αʔϏε༻ͷωοτϫʔΫଳҬΛ֬อ
  8. େن໛%%P4߈ܸ   σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα Πϯλʔωοτ %%P4߈ܸ

    ଞςφϯτ ଳҬ͕ຒ·ͬͨ %%P4ରࡦػث w %%P4ରࡦػث͕͋ͬͯ΋σʔληϯλʔ಺ ͷωοτϫʔΫଳҬ͕ຒ·Δͱҙຯ͕ͳ͍
  9. େن໛%%P4߈ܸ   σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα Πϯλʔωοτ %%P4߈ܸ

    ଞςφϯτ ଳҬΛ֬อ w %$ࣄۀऀ͸߈ܸର৅*1ΞυϨεΛϒ ϥοΫϗʔϧϧʔςΟϯά͢Δ w ߈ܸର৅ͷ*1ΞυϨεͷ௨৴ܦ࿏Λ ۂ͛ͯτϥϑΟοΫΛࣺͯΔ w %$಺ͷଳҬΛ֬อ
  10. େن໛%%P4߈ܸ   σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα Πϯλʔωοτ %%P4߈ܸ

    ଞςφϯτ ଳҬΛ֬อ w %$ࣄۀऀ͸߈ܸର৅*1ΞυϨεΛϒϩοΫ ϗʔϧϧʔςΟϯά͢Δ w *1ΞυϨεͷ௨৴ܦ࿏Λۂ͛ͯτϥϑΟοΫ ΛࣺͯΔ w %$಺ͷଳҬΛ֬อ ͜ͷରԠ͕൵ܶΛੜΉ
  11. σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα Πϯλʔωοτ 8&#αʔό 8&#αʔό 8&#αʔό 

    αΠτ αΠτ αΠτ *1 େن໛%%P4߈ܸ ߈ܸର৅ ʙ 8&#αʔό αΠτ αΠτ αΠτ *1 ϩʔυόϥϯα άϩʔόϧ*1͋ͨΓ ୆ͷ8&#αʔό άϩʔόϧ*1͋ͨΓ ਺ઍαΠτ
  12. σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον ϩʔυόϥϯα Πϯλʔωοτ 8&#αʔό 8&#αʔό 8&#αʔό 

    αΠτ αΠτ αΠτ *1 େن໛%%P4߈ܸ ߈ܸର৅ ʙ 8&#αʔό αΠτ αΠτ αΠτ *1 ϒϥοΫϗʔϧϧʔςΟϯά͞Εͨ*1ΞυϨεʹ ඥͮ͘αΠτ͕Πϯλʔωοτ͔Β࢟Λফ͢ ϩʔυόϥϯα
  13. σʔληϯλʔ ฐࣾςφϯτ ήʔτ΢ΣΠεΠον ήʔτ΢ΣΠεΠον Πϯλʔωοτ 8&#αʔό 8&#αʔό 8&#αʔό  αΠτ

    αΠτ αΠτ *1 େن໛%%P4߈ܸ *1 ʙ ༨৒ͷผ*1ΞυϨεʹ෇͚ସ͑Δ ϩʔυόϥϯα
  14. νΣοΧʔ ࣗಈԽ ΞϓϦέʔγϣϯ σʔληϯλʔ಺ ผσʔληϯλʔ ϩʔυόϥϯα *1 ᶄ ᶃ ᶅ

    1JOHΛ࣮ߦ ݁ՌΛฦ٫ νΣοΫΛґཔ ൚༻ੑͷߴ͍ΠϯλʔϑΣΠε ʹͯ͠ɺผͷ༻్Ͱ΋࢖͑Δ Α͏ʹ͍ͨ͠ɻ
  15. νΣοΧʔ ࣗಈԽ ΞϓϦέʔγϣϯ σʔληϯλʔ಺ ผσʔληϯλʔ ϩʔυόϥϯα *1 ᶄ ᶃ ᶅ

    νΣοΫΛґཔ 1JOHΛ࣮ߦ ݁ՌΛฦ٫ /icmp?ipaddr=X.X.X.X&timeout=3&max_tries=5 { "status" : true, "error" : "" } 8FC"1*
  16. location /icmp { mruby_content_handler_code ' # uri = Nginx::Request.new.unparsed_uri #

    Nginx.rputs RemoteChecker::ICMP.new(uri).execute '; } ࣮ࡍͷίʔυ ϦΫΤετͷURIΛऔಘ ICMPͷνΣοΫΛߦ͍ɺ݁ՌͷJSONΛϨεϙϯε͢Δ  
  17. location /icmp { mruby_content_handler_code ' # uri = Nginx::Request.new.unparsed_uri #

    Nginx.rputs RemoteChecker::ICMP.new(uri).execute '; } ࣮ࡍͷίʔυ ϦΫΤετͷURIΛऔಘ ICMPͷνΣοΫΛߦ͍ɺ݁ՌͷJSONΛϨεϙϯε͢Δ RemoteChecker::ICMP.new(uri).execute mruby-fast-remote-checkΛWebAPIͱͯ͠࢖͏ͨΊͷϥούʔΫϥε https://github.com/takumakume/mruby-remote-checker-api
  18. location /icmp { mruby_content_handler_code ' uri = Nginx::Request.new.unparsed_uri Nginx.rputs RemoteChecker::ICMP.new(uri).execute';

    } NSVCZSFNPUFDIFDLFSBQJ location /port { mruby_content_handler_code ' uri = Nginx::Request.new.unparsed_uri Nginx.rputs RemoteChecker::Port.new(uri).execute'; } /icmp?ipaddr=X.X.X.X /port?ipaddr=X.X.X.X&port=80
  19. ࣗಈԽ ΞϓϦέʔγϣϯ νΣοΧʔ ϩʔυόϥϯα 1JOHΛ࣮ߦ νΣοΫΛґཔ *1 *1 *1 *1

    *1 ෳ਺ͷ*1ΞυϨεʹରͯ͠ಉ࣌ʹॲཧΛґཔ͢ΔͱҰ෦ࣦഊ͢Δ
  20. ࣗಈԽ ΞϓϦέʔγϣϯ νΣοΧʔ ϩʔυόϥϯα 1JOHΛ࣮ߦ νΣοΫΛґཔ *1 *1 *1 *1

    *1 ෳ਺ͷ*1ΞυϨεʹରͯ͠ಉ࣌ʹॲཧΛґཔ͢ΔͱҰ෦ࣦഊ͢Δ ϩʔυόϥϯα *1 νΣοΧʔ
  21. ϓϩηε X.X.X.X ʹ Ping X.X.X.X socket NIC Reply Reply ICMPύέοτͷ

    ૹ৴ઌͱૹ৴ݩIPΞυϨε Λൺֱ (ݫີʹ͸ଞʹ΋৚݅͋Γ) ↓ ಉ͡ͳΒtrue ICMP Echo Reply
  22. ࣗಈԽ ΞϓϦέʔγϣϯ νΣοΧʔ ϩʔυόϥϯα 1JOHΛ࣮ߦ νΣοΫΛґཔ *1 *1 *1 *1

    *1 ෳ਺ͷ*1ΞυϨεʹରͯ͠ಉ࣌ʹॲཧΛґཔ͢ΔͱҰ෦ࣦഊ͢Δ ϩʔυόϥϯα *1 νΣοΧʔ *1
  23. ϓϩηε ϓϩηε X.X.X.X ʹ Ping Y.Y.Y.Y ʹ Ping X.X.X.X Y.Y.Y.Y

    socket sendto NIC socket Request Request socket
  24. ϓϩηε ϓϩηε X.X.X.X ʹ Ping Y.Y.Y.Y ʹ Ping X.X.X.X Y.Y.Y.Y

    socket NIC socket Request Request recv recv recv
  25.   raw socket ͸ɺ Linux ͷ͢΂ͯͷ IP ϓϩτίϧΛ ड৴͢Δ͜ͱ͕Ͱ͖Δɻ

    raw socket ͕ෳ਺͋Ε͹ͦΕͧΕʹ౉͞ΕΔɻ man raw(7)
  26. ϓϩηε ϓϩηε X.X.X.X ʹ Ping Y.Y.Y.Y ʹ Ping X.X.X.X Y.Y.Y.Y

    socket NIC socket recv recv Reply Reply X.X.X.X ͔ΒͷReply
  27. # ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot

    LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 203.0.113.1:443 rr -> 192.168.1.100:443 Route 1 1 0 -> 192.168.1.101:443 Route 1 1 0 -> 192.168.1.102:443 Route 1 1 0 TCP 203.0.113.2:443 rr -> 192.168.1.100:443 Route 1 1 0 -> 192.168.1.101:443 Route 1 1 0 -> 192.168.1.102:443 Route 1 1 0 : : ϩʔυόϥϯαʔͷ*1ΞυϨεऔಘ IPVSͷ؅ཧπʔϧ ipvsadm ίϚϯυͷ࣮ߦ݁Ռ
  28. # ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot

    LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 203.0.113.1:443 rr -> 192.168.1.100:443 Route 1 1 0 -> 192.168.1.101:443 Route 1 1 0 -> 192.168.1.102:443 Route 1 1 0 TCP 203.0.113.2:443 rr -> 192.168.1.100:443 Route 1 1 0 -> 192.168.1.101:443 Route 1 1 0 -> 192.168.1.102:443 Route 1 1 0 : : ϩʔυόϥϯαʔͷ*1ΞυϨεऔಘ IPVSͷ؅ཧπʔϧ ipvsadm ίϚϯυͷ࣮ߦ݁Ռ ͜ͷ*1ΛΞυϨε΁ͷΞΫηεΛ ͜ͷ*1ΞυϨε΁సૹ͢Δ
  29. # ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot

    LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 203.0.113.1:443 rr -> 192.168.1.100:443 Route 1 1 0 -> 192.168.1.101:443 Route 1 1 0 -> 192.168.1.102:443 Route 1 1 0 TCP 203.0.113.2:443 rr -> 192.168.1.100:443 Route 1 1 0 -> 192.168.1.101:443 Route 1 1 0 -> 192.168.1.102:443 Route 1 1 0 : : ϩʔυόϥϯαʔͷ*1ΞυϨεऔಘ IPVSͷ؅ཧπʔϧ ipvsadm ίϚϯυͷ࣮ߦ݁Ռ 203.0.113.1 203.0.113.2 443 443 ͜ͷϙʔτͷ άϩʔόϧ*1ΞυϨεͷҰཡ͕ཉ͍͠ 8FCҎ֎ͷαʔϏε΋ڞଘ͍ͯ͠ΔͷͰ
  30. # ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot

    LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 203.0.113.1:443 rr -> 192.168.1.100:443 Route 1 1 0 -> 192.168.1.101:443 Route 1 1 0 -> 192.168.1.102:443 Route 1 1 0 TCP 203.0.113.2:443 rr -> 192.168.1.100:443 Route 1 1 0 -> 192.168.1.101:443 Route 1 1 0 -> 192.168.1.102:443 Route 1 1 0 : : ϩʔυόϥϯαʔͷ*1ΞυϨεऔಘ IPVSͷ؅ཧπʔϧ ipvsadm ίϚϯυͷ࣮ߦ݁Ռ 203.0.113.1 203.0.113.2 443 443 ͜ͷϙʔτͷ άϩʔόϧ*1ΞυϨεͷҰཡ͕ཉ͍͠ ϩʔυόϥϯαΛ΋ͬͱ ϓϩάϥϚϒϧʹѻ͍͍ͨ
  31. ࣗಈԽ ΞϓϦέʔγϣϯ ϩʔυόϥϯα ᶃ ᶄ /services [ { "proto": "TCP",

    "addr": "203.0.113.1", "port": 443, "sched_name": "rr", "dests": ["192.168.1.100", ..] }, : ] 8FC"1*
  32. ϩʔυόϥϯαʔ libipvs nginx ngx_mruby mruby-ipvs mruby script HttpRequest JSON /services

    [ { "proto": "TCP", "addr": "203.0.113.1", "port": 443, "sched_name": "rr", "dests": ["192.168.1.100", ..] }, : ]
  33. location /services { mruby_content_handler_code ' # Nginx.rputs JSON.generate(IPVS.services.map(&:to_h)) '; }

    ίʔυ͸͜Ε͚ͩ IPVSͷαʔϏεҰཡΛऔಘͯ͠JSONʹ͠ɺNginxͰϨεϙϯε͢Δɻ
  34. ࣗಈԽ ΞϓϦέʔγϣϯ νΣοΧʔ ϩʔυόϥϯα γεςϜ%# ᶃ ᶄ ᶅ ࢖༻த*1ΞυϨε ҰཡΛऔಘ

    *1ΞυϨεͷ νΣοΫΛґཔ *1ΞυϨεͷ νΣοΫ݁ՌΛฦ٫ ᶄ 1*/( *1
  35. ࣗಈԽ ΞϓϦέʔγϣϯ νΣοΧʔ ϩʔυόϥϯα γεςϜ%# ᶃ ᶄ ᶅ ᶆ ࢖༻த*1ΞυϨε

    ҰཡΛऔಘ *1ΞυϨεͷ νΣοΫΛґཔ *1ΞυϨεͷ νΣοΫ݁ՌΛฦ٫ ૄ௨͠ͳ͍*1ΞυϨε͕͋Ε͹ᶇ΁
  36. ࣗಈԽ ΞϓϦέʔγϣϯ νΣοΧʔ ϩʔυόϥϯα γεςϜ%# ᶃ ᶄ ᶅ ᶆ ᶇ

    ࢖༻த*1ΞυϨε ҰཡΛऔಘ *1ΞυϨεͷ νΣοΫΛґཔ *1ΞυϨεͷ νΣοΫ݁ՌΛฦ٫ ૄ௨͠ͳ͍*1ΞυϨε͕͋Ε͹ᶇ΁ ͢΂ͯͷ*1ΞυϨεҰཡΛऔಘ
  37. ࣗಈԽ ΞϓϦέʔγϣϯ νΣοΧʔ ϩʔυόϥϯα γεςϜ%# ᶃ ᶄ ᶅ ᶆ ᶇ

    ᶈ ࢖༻த*1ΞυϨε ҰཡΛऔಘ *1ΞυϨεͷ νΣοΫΛґཔ *1ΞυϨεͷ νΣοΫ݁ՌΛฦ٫ ૄ௨͠ͳ͍*1ΞυϨε͕͋Ε͹ᶇ΁ ͢΂ͯͷ*1ΞυϨεҰཡΛऔಘ ͢΂ͯͷ*1࢖༻தͷ*1 ۭ͖*1ΞυϨε
  38. ࣗಈԽ ΞϓϦέʔγϣϯ νΣοΧʔ ϩʔυόϥϯα γεςϜ%# ᶃ ᶄ ᶅ ᶆ ᶇ

    ᶈ ᶉ ࢖༻த*1ΞυϨε ҰཡΛऔಘ *1ΞυϨεͷ νΣοΫΛґཔ *1ΞυϨεͷ νΣοΫ݁ՌΛฦ٫ ૄ௨͠ͳ͍*1ΞυϨε͕͋Ε͹ᶇ΁ ͢΂ͯͷ*1ΞυϨεҰཡΛऔಘ ͢΂ͯͷ*1࢖༻தͷ*1 ۭ͖*1ΞυϨε %#ͷΞοϓσʔτ
  39. લఏɿγεςϜߏ੒ͱ%%P4߈ܸͷӨڹ ՝୊ɿ%%P4߈ܸ΁ͷݱঢ়ͷରԠͱ՝୊ ࣮૷ɿࣗಈԽʹΑΔ%%P4߈ܸͷରԠ w %$ͷΩϟύγςΟΛ௒͑ΔϨϕϧͷେن໛ͳ߈ܸ͕ൃੜͨ͠৔߹ʹɺ ฐࣾͷ৔߹͸ϒϥοΫϗʔϧϧʔςΟϯά͞ΕΔͨΊखಈରԠ͕ඞཁɻ w खಈରԠͰ͸෮چ͕஗͍͠ɺετϨε౓͕ߴ͍ɻΦϖϛε΋͋ΓಘΔɻ w ϏδωεϩδοΫΛҰՕॴʹूதͤ͞ɺࣗಈԽΛࢧ͑Δίϯϙʔωϯτ

    ͸Ͱ͖Δ͚ͩ൚༻ੑΛߴ͘͢Δ͜ͱͰศརͰ؅ཧ͠΍͍͢Α͏ʹͨ͠ɻ w ൚༻ੑͷߴ͍ΠϯλʔϑΣΠεͱͯ͠+40/ϕʔεͷ8FC"1*Λ࣮૷͠ ͨɻOHY@NSVCZΛ࢖ͬͯ؆୯ʹ࡞Δ͜ͱ͕Ͱ͖ΔࣄྫΛ঺հͨ͠ɻ w खܰʹ%%P4߈ܸ͕Ͱ͖ΔΑ͏ʹͳͬͨࡢࠓɺϨϯαόۀքͰ΋ྫ֎ͳ ͘߈ܸ͕དྷ͍ͯͯαʔϏεʹӨڹΛٴ΅͍ͯ͠Δɻ w αʔϏε͕େن໛ʹͳΔ΄ͲαΠτ਺͕૿͑ͯඪతʹͳΔϦεΫ͕ߴ͍ɻ