Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Understanding DNS with ActionDispatch::HostAuthorization

Yuka Kato
October 03, 2020

Understanding DNS with ActionDispatch::HostAuthorization

2020 年 10 月 3 日開催の、Kaigi on Rails で発表した内容です。(発表時間 20 分)

## 2020/10/12 追記
このスライドの説明だけですと攻撃の特性がわかりづらかったので、個人ブログの以下の記事にて追加の説明を行いました。
https://yucao24hours.me/blog/2020/10/12/dns-rebindig-basics-revised/

Yuka Kato

October 03, 2020
Tweet

More Decks by Yuka Kato

Other Decks in Programming

Transcript

  1. 3

  2. 4

  3. 5

  4. 6 ਆాਢాொํ໘͔Β͖·ͨ͠ ʁ ˞Ӭ࿨γεςϜϚωδϝϯτ౦ژࢧࣾ͸ਆాਢాொʹҐஔ͍ͯ͠·͢ Distinguished Engineer 5%%XJUIHJU
 -POHMJWFFOHJOFFSJOH Koichi ITO

    Super duper wakamono ίʔυϨϏϡʔຊϊοΫͰ ֶΜͩ3BJMTϦϑΝΫλϦϯά 9sako6 Me "DUJPO%JTQBUDI)PTU"VUIPSJ[BUJPO ͱֶͿ%/4ͷ͘͠Έ yucao24hours A Living Legend a_matsuda DPNJOHTPPO
  5. 7 ຊ೔͓࿩͢͠Δ͜ͱ  %/4ͷ͖΄Μ • %/4ͱ͸ͳʹ͔ • ໰͍߹Θͤޮ཰ԽͷͨΊʹ  %/4ϦόΠϯσΟϯά

    • ߈ܸͷͨΊͷ४උ • ͲͷΑ͏ʹ߈ܸ͞ΕΔͷ͔  )PTU"VUIPSJ[BUJPOͱ͍͏3BDLϛυϧ΢ΣΞʹ͍ͭͯ • %/4ϦόΠϯσΟϯάͷݟഁΓํ • 3BJMTͷ)PTU"VUIPSJ[BUJPOͱ͸Ͳ͏͍͏΋ͷʁ
  6. 21 ར༻ऀ ϑϧϦκϧό yucao24hours.me 99.84.130.27 ͷ*1ΞυϨε͸ TTL 60 yucao24hours.me 99.84.130.27

    ͷ*1ΞυϨε͸ 99.84.130.27 ໰͍߹Θͤޮ཰ԽͷͨΊʹ ݖҖαʔό yucao24hours.me. ໊લղܾͷ୅ߦ໾ ໊લղܾͷ͘͠Έ
  7. 25 ར༻ऀ yucao24hours.me ͷ*1ΞυϨεΛ
 ஌Γ͍ͨ ϑϧϦκϧό ݖҖαʔό yucao24hours.me. 99.84.130.27 ໰͍߹Θͤޮ཰ԽͷͨΊʹ

    yucao24hours.me 99.84.130.27 ͷ*1ΞυϨε͸ TTL 60 ໊લղܾͷ୅ߦ໾ ໊લղܾͷ͘͠Έ
  8. 26 ར༻ऀ ϑϧϦκϧό 99.84.130.27 yucao24hours.me 99.84.130.27 ͷ*1ΞυϨε͸ TTL 60 yucao24hours.me

    99.84.130.27 ͷ*1ΞυϨε͸ ໰͍߹Θͤޮ཰ԽͷͨΊʹ ݖҖαʔό yucao24hours.me. ໊લղܾͷ୅ߦ໾ ໊લղܾͷ͘͠Έ
  9. 35 ߈ܸͷͨΊͷ४උ ߈ܸऀ ᠘αΠτ kougeki.com 243.102.110.103 ͷ*1ΞυϨε͸ TTL 3 243.102.110.103

    ݖҖαʔό lϩʔυޙOඵޙʹ kougeki.comʹࣗಈͰΞΫηε͠
 ͦ͜ͰYYY ѱ͍͜ͱ Λ͢Δz ͕ίʔσ Οϯά͞Εͨ
 ߈ܸ༻+BWB4DSJQUίʔυ Λฦ͢Α͏ʹ͓ͯ͘͠
  10. 38 ͲͷΑ͏ʹ߈ܸ͞ΕΔͷ͔ ߈ܸऀ ߈ܸର৅ऀ :͞Μ kougeki.com ͷ*1ΞυϨεΛ
 ஌Γ͍ͨ kougeki.com ͷ*1ΞυϨε͸ʁ

    ϑϧϦκϧό 243.102.110.103 133.127.254.9 ݖҖαʔό kougeki.com. ໊લղܾͷ୅ߦ໾
  11. 39 ͲͷΑ͏ʹ߈ܸ͞ΕΔͷ͔ ߈ܸऀ ߈ܸର৅ऀ :͞Μ ϑϧϦκϧό kougeki.com 243.102.110.103 ͷ*1ΞυϨε͸ 243.102.110.103

    133.127.254.9 kougeki.com 243.102.110.103 ͷ*1ΞυϨε͸ TTL 3 ݖҖαʔό kougeki.com. ໊લղܾͷ୅ߦ໾
  12. 42 ͲͷΑ͏ʹ߈ܸ͞ΕΔͷ͔ ߈ܸऀ ߈ܸର৅ऀ :͞Μ ϑϧϦκϧό 243.102.110.103 133.127.254.9 ݖҖαʔό kougeki.com.

    kougeki.com 243.102.110.103 ͷ*1ΞυϨε͸ TTL 3 lϩʔυޙOඵޙʹ kougeki.comʹࣗಈͰΞΫηε͠
 ͦ͜ͰYYY ѱ͍͜ͱ Λ͢Δz ͕ίʔσ Οϯά͞Εͨ
 ߈ܸ༻+BWB4DSJQUίʔυ ໊લղܾͷ୅ߦ໾
  13. 47 ͲͷΑ͏ʹ߈ܸ͞ΕΔͷ͔ ߈ܸऀ ߈ܸର৅ऀ :͞Μ ϑϧϦκϧό 243.102.110.103 133.127.254.9 kougeki.com ͷ*1ΞυϨεΛ


    ஌Γ͍ͨ kougeki.com ͷ*1ΞυϨε͸ʁ ݖҖαʔό kougeki.com. ໊લղܾͷ୅ߦ໾
  14. 48 ͲͷΑ͏ʹ߈ܸ͞ΕΔͷ͔ ߈ܸऀ ߈ܸର৅ऀ :͞Μ ϑϧϦκϧό 243.102.110.103 133.127.254.9 kougeki.com ͷ*1ΞυϨε͸

    kougeki.com 133.127.254.9 ͷ*1ΞυϨε͸ TTL 86400 133.127.254.9 ݖҖαʔό kougeki.com. ໊લղܾͷ୅ߦ໾
  15. 54 GET /login.html HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

    Host: kougeki.com Accept-Language: ja-JP ໊લղܾͷࡍʹ࢖ΘΕͨυϝΠϯ໊͕)PTUʹهࡌ͞ΕΔ ߈ܸͷಛੑ্ɺ %/4ϦόΠϯσΟϯάͷݟഁΓํ ˞9.-)UUQ3FRVFTUͰ͸ɺϢʔβʹΑΔ)PTUϔομͷมߋ͸Ͱ͖ͳ͍
  16. 56 GET /login.html HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

    Host: piyostragram.com Accept-Language: ja-JP GET /login.html HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT) Host: kougeki.com Accept-Language: ja-JP Valid Request Invalid Request %/4ϦόΠϯσΟϯάͷݟഁΓํ
  17. 59 3BJMTͷ)PTU"VUIPSJ[BUJPOͱ͸Ͳ͏͍͏΋ͷʁ Rails.application.config.hosts = [ IPAddr.new(“0.0.0.0/0”), # All IPv4 addresses.

    IPAddr.new(“::/0"), # All IPv6 addresses. “localhost” # The localhost reserved domain. ] )PTUͷڐՄϦετΛ࡞੒͢Δ
  18. 75 参考文献 DNS がよくわかる教科書 (SB クリエイティブ) https://www.sbcr.jp/product/4797394481/ 【インターネットとは】 1-2. ドメイン名とIPアドレス

    ~ドメイン名~ (JPNIC) https://youtu.be/l2XZBjOEK2w ドメイン名のしくみ - JPNIC https://www.nic.ad.jp/ja/dom/system.html 浸透いうな! http://www.e-ontap.com/dns/propagation/ DNS浸透の都市伝説を斬る ~ランチのおともにDNS~ https://jprs.jp/tech/material/iw2011-lunch-L1-01.pdf DNS のきほん
  19. 76 参考文献 DNS rebinding attack の対策と考察 https://dnsops.jp/bof/20071119/dnsrebinding-20071119.pdf Protecting Browsers from

    DNS Rebinding Attacks https://crypto.stanford.edu/dns/ DNS Rebinding ~今日の用語特別版~ | 徳丸浩の日記 https://blog.tokumaru.org/2007/11/dns-rebinding.html DNS リバインディング
  20. 77 参考文献 Guard against DNS rebinding attacks by permitting hosts

    by gsamokovarov · Pull Request #33145 · rails/rails https://github.com/rails/rails/pull/33145/ #3397 ([PATCH] CgiRequest returns incorrect host name in event of multiple proxies) - Rails Trac - Trac https://web.archive.org/web/20100618053001/http://dev.rubyonrails.org/ticket/3397 X-Forwarded-Host - HTTP | MDN https://developer.mozilla.org/ja/docs/Web/HTTP/Headers/X-Forwarded-Host ターゲットグループのヘルスチェック - Elastic Load Balancing https://docs.aws.amazon.com/ja_jp/elasticloadbalancing/latest/network/target-group-health- checks.html Application Load Balancer のヘルスチェック失敗のトラブルシューティング https://aws.amazon.com/jp/premiumsupport/knowledge-center/elb-fix-failing-health-checks-alb/ ActionDispatch::HostAuthorization(1/2)
  21. 78 参考文献 Practical Web Cache Poisoning | PortSwigger Research https://portswigger.net/research/practical-web-cache-poisoning

    How to Configure Symfony to Work behind a Load Balancer or a Reverse Proxy (Symfony Docs) https://symfony.com/doc/current/deployment/proxies.html ActionDispatch::HostAuthorization(2/2)