Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Understanding DNS with ActionDispatch::HostAuthorization

Yuka Kato
October 03, 2020

Understanding DNS with ActionDispatch::HostAuthorization

2020 年 10 月 3 日開催の、Kaigi on Rails で発表した内容です。(発表時間 20 分)

## 2020/10/12 追記
このスライドの説明だけですと攻撃の特性がわかりづらかったので、個人ブログの以下の記事にて追加の説明を行いました。
https://yucao24hours.me/blog/2020/10/12/dns-rebindig-basics-revised/

Yuka Kato

October 03, 2020
Tweet

More Decks by Yuka Kato

Other Decks in Programming

Transcript

  1. ,BJHJPO3BJMT QSFTFOUFECZZVDBPIPVST
    ActionDispatch::HostAuthorization
    DNS
    ͱֶͿ
    ͷ͠
    ͘
    Έ
    Photo by Gauravdeep Singh Bansal on Unsplash

    View full-size slide

  2. 2
    Ӭ࿨γεςϜϚωδϝϯτΞδϟΠϧࣄۀ෦ॴଐ
    3BJMTΛ࢖ͬͨ࢓ࣄɺΞδϟΠϧͳ։ൃ͕ಘҙͰ޷͖
    ޷͖ͳݘछ͸
    γϕϦΞϯɾϋεΩʔ
    δϟʔϚϯɾγΣύʔυ
    ຊ೔ͷൃද΁ͷϑΟʔυόοΫΛ͓଴͍ͪͯ͠·͢ʂ
    Hello, I’m…
    yucao24hours

    View full-size slide

  3. 6
    ਆాਢాொํ໘͔Β͖·ͨ͠ ʁ

    ˞Ӭ࿨γεςϜϚωδϝϯτ౦ژࢧࣾ͸ਆాਢాொʹҐஔ͍ͯ͠·͢
    Distinguished Engineer
    5%%XJUIHJU

    -POHMJWFFOHJOFFSJOH
    Koichi ITO
    Super duper wakamono
    ίʔυϨϏϡʔຊϊοΫͰ
    ֶΜͩ3BJMTϦϑΝΫλϦϯά
    9sako6
    Me
    "DUJPO%JTQBUDI)PTU"VUIPSJ[BUJPO
    ͱֶͿ%/4ͷ͘͠Έ
    yucao24hours
    A Living Legend
    a_matsuda
    DPNJOHTPPO

    View full-size slide

  4. 7
    ຊ೔͓࿩͢͠Δ͜ͱ
    %/4ͷ͖΄Μ
    • %/4ͱ͸ͳʹ͔
    • ໰͍߹Θͤޮ཰ԽͷͨΊʹ
    %/4ϦόΠϯσΟϯά
    • ߈ܸͷͨΊͷ४උ
    • ͲͷΑ͏ʹ߈ܸ͞ΕΔͷ͔
    )PTU"VUIPSJ[BUJPOͱ͍͏3BDLϛυϧ΢ΣΞʹ͍ͭͯ
    • %/4ϦόΠϯσΟϯάͷݟഁΓํ
    • 3BJMTͷ)PTU"VUIPSJ[BUJPOͱ͸Ͳ͏͍͏΋ͷʁ

    View full-size slide

  5. 8
    %/4ͷ͖΄Μ
    • %/4ͱ͸ͳʹ͔
    • ໰͍߹Θͤޮ཰ԽͷͨΊʹ
    5PQJD
    Photo by Stephane YAICH on Unsplash

    View full-size slide

  6. 9
    DNS … Domain Name System
    %/4ͱ͸ͳʹ͔

    View full-size slide

  7. 10
    Πϯλʔωοτ্Ͱϗετͷಛఆʜ*1ΞυϨε
    %/4ͱ͸ͳʹ͔
    *1WΞυϨε *1WΞυϨε
    ਺ࣈͷཏྻͳͷͰਓ͕ؒهԱɾ؅ཧ͢Δͷ͸λΠϔϯ

    View full-size slide

  8. 11
    ਓ͕ؒѻ͍΍͍ࣝ͢ผࢠʜ໊લ
    %/4ͱ͸ͳʹ͔
    هԱ͠΍͍͢ɺղऍ͠΍͍͢
    ʮ෼ࢄ؅ཧʯͷߟ͑ํʹରԠͰ͖ΔʢυϝΠϯͱ%/4ͷ୉ޣຯ
    ͚ͩΕͲࠓ೔͸͓࿩͠·ͤΜʣ
    Πϯλʔωοτ্ʹ͓͚ΔlൣғzʜυϝΠϯ
    υϝΠϯ͝ͱʹ෇͚ΒΕ໊ͨલ͕υϝΠϯ໊

    View full-size slide

  9. 12
    %/4ͷجຊతͳ໾ׂ
    %/4ͱ͸ͳʹ͔
    υϝΠϯ໊ͱ*1ΞυϨεͱͷରԠ͚ͮΛ؅ཧ͢Δ
    ඞཁʹԠͯ͡ɺυϝΠϯ໊ʹରԠ͢Δ*1ΞυϨεΛ୳͠ग़͢ ໊લղܾ

    View full-size slide

  10. 13
    υϝΠϯ໊͝ͱʹ؅ཧΛҕ೚͢Δ
    ໰͍߹Θͤޮ཰ԽͷͨΊʹ
    yucao24hours.me
    99.84.130.27
    ͷ*1ΞυϨε͸
    TTL 60
    agile.esm.co.jp
    13.33.9.96
    ͷ*1ΞυϨε͸
    TTL 60
    kaigionrails.org
    185.199.109.153
    ͷ*1ΞυϨε͸
    TTL 3600

    View full-size slide

  11. 14
    υϝΠϯ໊͝ͱʹ؅ཧΛҕ೚͢Δ
    ໰͍߹Θͤޮ཰ԽͷͨΊʹ
    yucao24hours.me
    99.84.130.27
    ͷ*1ΞυϨε͸
    TTL 60
    agile.esm.co.jp
    13.33.9.96
    ͷ*1ΞυϨε͸
    TTL 60
    kaigionrails.org
    185.199.109.153
    ͷ*1ΞυϨε͸
    TTL 3600

    View full-size slide

  12. 15
    υϝΠϯ໊͝ͱʹ؅ཧΛҕ೚͢Δ
    ໰͍߹Θͤޮ཰ԽͷͨΊʹ
    yucao24hours.me
    99.84.130.27
    ͷ*1ΞυϨε͸
    TTL 60
    agile.esm.co.jp
    13.33.9.96
    ͷ*1ΞυϨε͸
    TTL 60
    kaigionrails.org
    185.199.109.153
    ͷ*1ΞυϨε͸
    TTL 3600

    View full-size slide

  13. 16
    υϝΠϯ໊͝ͱʹ؅ཧΛҕ೚͢Δ
    ໰͍߹Θͤޮ཰ԽͷͨΊʹ
    yucao24hours.me
    99.84.130.27
    ͷ*1ΞυϨε͸
    TTL 60
    agile.esm.co.jp
    13.33.9.96
    ͷ*1ΞυϨε͸
    TTL 60
    kaigionrails.org
    185.199.109.153
    ͷ*1ΞυϨε͸
    TTL 3600

    View full-size slide

  14. 17
    ར༻ऀ
    yucao24hours.me
    ͷ*1ΞυϨεΛ

    ஌Γ͍ͨ
    ϑϧϦκϧό
    ݖҖαʔό
    yucao24hours.me.
    ໊લղܾͷ୅ߦ໾

    99.84.130.27
    ໰͍߹Θͤޮ཰ԽͷͨΊʹ
    ໊લղܾͷ͘͠Έ

    View full-size slide

  15. 18
    ར༻ऀ
    yucao24hours.me
    ͷ*1ΞυϨεΛ

    ஌Γ͍ͨ
    ϑϧϦκϧό
    ݖҖαʔό
    yucao24hours.me.
    ໊લղܾͷ୅ߦ໾

    99.84.130.27
    ໰͍߹Θͤޮ཰ԽͷͨΊʹ
    ໊લղܾͷ͘͠Έ

    View full-size slide

  16. 19
    ར༻ऀ
    yucao24hours.me
    ͷ*1ΞυϨεΛ

    ஌Γ͍ͨ
    yucao24hours.me
    ͷ*1ΞυϨε͸ʁ
    ϑϧϦκϧό
    99.84.130.27
    ໰͍߹Θͤޮ཰ԽͷͨΊʹ
    ݖҖαʔό
    yucao24hours.me.
    ໊લղܾͷ୅ߦ໾

    ໊લղܾͷ͘͠Έ

    View full-size slide

  17. 20
    ར༻ऀ
    ϑϧϦκϧό
    yucao24hours.me
    99.84.130.27
    ͷ*1ΞυϨε͸
    TTL 60
    99.84.130.27
    ໰͍߹Θͤޮ཰ԽͷͨΊʹ
    ݖҖαʔό
    yucao24hours.me.
    ໊લղܾͷ୅ߦ໾

    ໊લղܾͷ͘͠Έ

    View full-size slide

  18. 21
    ར༻ऀ
    ϑϧϦκϧό
    yucao24hours.me
    99.84.130.27
    ͷ*1ΞυϨε͸
    TTL 60
    yucao24hours.me
    99.84.130.27
    ͷ*1ΞυϨε͸
    99.84.130.27
    ໰͍߹Θͤޮ཰ԽͷͨΊʹ
    ݖҖαʔό
    yucao24hours.me.
    ໊લղܾͷ୅ߦ໾

    ໊લղܾͷ͘͠Έ

    View full-size slide

  19. 22
    ར༻ऀ
    ϑϧϦκϧό
    99.84.130.27
    ໰͍߹Θͤޮ཰ԽͷͨΊʹ
    ݖҖαʔό
    yucao24hours.me.
    ໊લղܾͷ୅ߦ໾

    ໊લղܾͷ͘͠Έ

    View full-size slide

  20. 23
    ϑϧϦκϧό
    ར༻ऀ
    yucao24hours.me
    99.84.130.27
    ͷ*1ΞυϨε͸
    TTL 60
    99.84.130.27
    ໰͍߹Θͤޮ཰ԽͷͨΊʹ
    ݖҖαʔό
    yucao24hours.me.
    ໊લղܾͷ୅ߦ໾

    ໊લղܾͷ͘͠Έ

    View full-size slide

  21. 24
    ϑϧϦκϧό
    ར༻ऀ
    yucao24hours.me
    99.84.130.27
    ͷ*1ΞυϨε͸
    TTL 60
    99.84.130.27
    ໰͍߹Θͤޮ཰ԽͷͨΊʹ
    ݖҖαʔό
    yucao24hours.me.
    ໊લղܾͷ୅ߦ໾

    ໊લղܾͷ͘͠Έ

    View full-size slide

  22. 25
    ར༻ऀ
    yucao24hours.me
    ͷ*1ΞυϨεΛ

    ஌Γ͍ͨ
    ϑϧϦκϧό
    ݖҖαʔό
    yucao24hours.me.
    99.84.130.27
    ໰͍߹Θͤޮ཰ԽͷͨΊʹ
    yucao24hours.me
    99.84.130.27
    ͷ*1ΞυϨε͸
    TTL 60
    ໊લղܾͷ୅ߦ໾

    ໊લղܾͷ͘͠Έ

    View full-size slide

  23. 26
    ར༻ऀ
    ϑϧϦκϧό
    99.84.130.27
    yucao24hours.me
    99.84.130.27
    ͷ*1ΞυϨε͸
    TTL 60
    yucao24hours.me
    99.84.130.27
    ͷ*1ΞυϨε͸
    ໰͍߹Θͤޮ཰ԽͷͨΊʹ
    ݖҖαʔό
    yucao24hours.me.
    ໊લղܾͷ୅ߦ໾

    ໊લղܾͷ͘͠Έ

    View full-size slide

  24. 27
    %/4·ͱΊ
    υϝΠϯ໊ͱ*1ΞυϨεͷରԠ͚ͮΛ؅ཧ͠ɺ໊લղܾΛߦ͏ͨΊͷ͘͠Έ
    ϑϧϦκϧό໊͕લղܾΛ୅ߦ͢Δ
    ϑϧϦκϧό͸ɺݖҖαʔό͔Βͷ໰͍߹Θͤ݁ՌΛҰఆ࣌ؒΩϟογϡ͠
    ͯΑ͍ͱ͞ΕΔ
    ϑϧϦκϧό͸ɺҎલͷ໰͍߹Θͤ݁ՌͷΩϟογϡ͕͋Ε͹ͦΕΛ࢖ͬͯ
    Ϣʔβ΁Ԡ౴͠ɺݖҖαʔό΁͸৽ͨʹ໰͍߹ΘͤΛൃߦ͠ͳ͍
    ϑϧϦκϧό͕Ԡ౴಺༰ΛΩϟογϡͯ͠Α͍࣌ؒ 55-
    ͸֤κʔϯͷ؅ཧ
    ऀ͕ܾΊΒΕΔ

    View full-size slide

  25. 28
    ΋ͬͱ%/4Λֶͼ͍ͨͳΒʜ
    %/4͕Α͘Θ͔ΔڭՊॻʛ4#ΫϦΤΠςΟϒ
    https://www.sbcr.jp/product/4797394481/

    View full-size slide

  26. 29
    %/4
    ϦόΠϯσΟϯά
    • ߈ܸͷͨΊͷ४උ
    • ͲͷΑ͏ʹ߈ܸ͞ΕΔͷ͔
    5PQJD
    Photo by Jonatan Lewczuk on Unsplash

    View full-size slide

  27. 30
    ߈ܸͷͨΊͷ४උ
    Piyostagram
    piyostagram.com
    133.127.254.9
    ߈ܸऀ

    View full-size slide

  28. 31
    ߈ܸͷͨΊͷ४උ
    ߈ܸऀ
    kougeki.com

    View full-size slide

  29. 243.102.110.103
    32
    ߈ܸͷͨΊͷ४උ
    ߈ܸऀ
    ᠘αΠτ
    kougeki.com

    View full-size slide

  30. 33
    ߈ܸͷͨΊͷ४උ
    ߈ܸऀ
    ᠘αΠτ
    ݖҖαʔό
    kougeki.com
    243.102.110.103
    ͷ*1ΞυϨε͸
    TTL 3
    243.102.110.103

    View full-size slide

  31. 34
    ߈ܸͷͨΊͷ४උ
    ߈ܸऀ
    ᠘αΠτ
    kougeki.com
    243.102.110.103
    ͷ*1ΞυϨε͸
    TTL 3
    243.102.110.103
    ݖҖαʔό

    View full-size slide

  32. 35
    ߈ܸͷͨΊͷ४උ
    ߈ܸऀ
    ᠘αΠτ
    kougeki.com
    243.102.110.103
    ͷ*1ΞυϨε͸
    TTL 3
    243.102.110.103
    ݖҖαʔό
    lϩʔυޙOඵޙʹ
    kougeki.comʹࣗಈͰΞΫηε͠

    ͦ͜ͰYYY ѱ͍͜ͱ
    Λ͢Δz
    ͕ίʔσ
    Οϯά͞Εͨ

    ߈ܸ༻+BWB4DSJQUίʔυ
    Λฦ͢Α͏ʹ͓ͯ͘͠

    View full-size slide

  33. 36
    ߈ܸ։࢝
    ͲͷΑ͏ʹ߈ܸ͞ΕΔͷ͔

    View full-size slide

  34. 37
    ͲͷΑ͏ʹ߈ܸ͞ΕΔͷ͔
    ߈ܸऀ
    ߈ܸର৅ऀ
    :͞Μ

    243.102.110.103
    133.127.254.9
    ϑϧϦκϧό
    ݖҖαʔό
    kougeki.com.
    ໊લղܾͷ୅ߦ໾

    kougeki.com
    ΁ͷϦϯΫΛ

    ΫϦοΫ
    ϝʔϧ಺ͷ

    View full-size slide

  35. 38
    ͲͷΑ͏ʹ߈ܸ͞ΕΔͷ͔
    ߈ܸऀ
    ߈ܸର৅ऀ
    :͞Μ

    kougeki.com
    ͷ*1ΞυϨεΛ

    ஌Γ͍ͨ
    kougeki.com
    ͷ*1ΞυϨε͸ʁ
    ϑϧϦκϧό
    243.102.110.103
    133.127.254.9
    ݖҖαʔό
    kougeki.com.
    ໊લղܾͷ୅ߦ໾

    View full-size slide

  36. 39
    ͲͷΑ͏ʹ߈ܸ͞ΕΔͷ͔
    ߈ܸऀ
    ߈ܸର৅ऀ
    :͞Μ

    ϑϧϦκϧό
    kougeki.com
    243.102.110.103
    ͷ*1ΞυϨε͸
    243.102.110.103
    133.127.254.9
    kougeki.com
    243.102.110.103
    ͷ*1ΞυϨε͸
    TTL 3
    ݖҖαʔό
    kougeki.com.
    ໊લղܾͷ୅ߦ໾

    View full-size slide

  37. 40
    ͲͷΑ͏ʹ߈ܸ͞ΕΔͷ͔
    ߈ܸऀ
    ߈ܸର৅ऀ
    :͞Μ

    ϑϧϦκϧό
    243.102.110.103
    133.127.254.9
    kougeki.com
    243.102.110.103
    ͷ*1ΞυϨε͸
    TTL 3
    ݖҖαʔό
    kougeki.com.
    ໊લղܾͷ୅ߦ໾

    View full-size slide

  38. 41
    ͲͷΑ͏ʹ߈ܸ͞ΕΔͷ͔
    ߈ܸऀ
    ߈ܸର৅ऀ
    :͞Μ

    ϑϧϦκϧό
    243.102.110.103
    133.127.254.9
    ݖҖαʔό
    kougeki.com.
    kougeki.com
    243.102.110.103
    ͷ*1ΞυϨε͸
    TTL 3
    ໊લղܾͷ୅ߦ໾

    View full-size slide

  39. 42
    ͲͷΑ͏ʹ߈ܸ͞ΕΔͷ͔
    ߈ܸऀ
    ߈ܸର৅ऀ
    :͞Μ

    ϑϧϦκϧό
    243.102.110.103
    133.127.254.9
    ݖҖαʔό
    kougeki.com.
    kougeki.com
    243.102.110.103
    ͷ*1ΞυϨε͸
    TTL 3
    lϩʔυޙOඵޙʹ
    kougeki.comʹࣗಈͰΞΫηε͠

    ͦ͜ͰYYY ѱ͍͜ͱ
    Λ͢Δz
    ͕ίʔσ
    Οϯά͞Εͨ

    ߈ܸ༻+BWB4DSJQUίʔυ
    ໊લղܾͷ୅ߦ໾

    View full-size slide

  40. 43
    ͲͷΑ͏ʹ߈ܸ͞ΕΔͷ͔
    ߈ܸऀ
    ߈ܸର৅ऀ
    :͞Μ

    ϑϧϦκϧό
    243.102.110.103
    133.127.254.9
    kougeki.com
    243.102.110.103
    ͷ*1ΞυϨε͸
    TTL 3
    ݖҖαʔό
    kougeki.com.
    ໊લղܾͷ୅ߦ໾

    View full-size slide

  41. 44
    ͲͷΑ͏ʹ߈ܸ͞ΕΔͷ͔
    ߈ܸऀ
    ߈ܸର৅ऀ
    :͞Μ

    ϑϧϦκϧό
    243.102.110.103
    133.127.254.9
    kougeki.com
    243.102.110.103
    ͷ*1ΞυϨε͸
    TTL 3
    ݖҖαʔό
    kougeki.com.
    ໊લղܾͷ୅ߦ໾

    View full-size slide

  42. 45
    ͲͷΑ͏ʹ߈ܸ͞ΕΔͷ͔
    ߈ܸऀ
    ߈ܸର৅ऀ
    :͞Μ

    ϑϧϦκϧό
    243.102.110.103
    133.127.254.9
    kougeki.com
    243.102.110.103
    ͷ*1ΞυϨε͸
    133.127.254.9
    ݖҖαʔό
    kougeki.com.
    ໊લղܾͷ୅ߦ໾

    View full-size slide

  43. 46
    ͲͷΑ͏ʹ߈ܸ͞ΕΔͷ͔
    ߈ܸऀ
    ߈ܸର৅ऀ
    :͞Μ

    ϑϧϦκϧό
    243.102.110.103
    133.127.254.9
    kougeki.com
    ͷ*1ΞυϨεΛ

    ஌Γ͍ͨ
    ݖҖαʔό
    kougeki.com.
    ໊લղܾͷ୅ߦ໾

    View full-size slide

  44. 47
    ͲͷΑ͏ʹ߈ܸ͞ΕΔͷ͔
    ߈ܸऀ
    ߈ܸର৅ऀ
    :͞Μ

    ϑϧϦκϧό
    243.102.110.103
    133.127.254.9
    kougeki.com
    ͷ*1ΞυϨεΛ

    ஌Γ͍ͨ
    kougeki.com
    ͷ*1ΞυϨε͸ʁ
    ݖҖαʔό
    kougeki.com.
    ໊લղܾͷ୅ߦ໾

    View full-size slide

  45. 48
    ͲͷΑ͏ʹ߈ܸ͞ΕΔͷ͔
    ߈ܸऀ
    ߈ܸର৅ऀ
    :͞Μ

    ϑϧϦκϧό
    243.102.110.103
    133.127.254.9
    kougeki.com
    ͷ*1ΞυϨε͸ kougeki.com
    133.127.254.9
    ͷ*1ΞυϨε͸
    TTL 86400
    133.127.254.9
    ݖҖαʔό
    kougeki.com.
    ໊લղܾͷ୅ߦ໾

    View full-size slide

  46. 49
    ͲͷΑ͏ʹ߈ܸ͞ΕΔͷ͔
    ߈ܸऀ
    ߈ܸର৅ऀ
    :͞Μ

    ϑϧϦκϧό
    243.102.110.103
    133.127.254.9
    ݸਓ৘ใΛ

    ൈ͖औΔFUDʜ
    ݖҖαʔό
    kougeki.com.
    ໊લղܾͷ୅ߦ໾

    View full-size slide

  47. 50
    ͲͷΑ͏ʹ߈ܸ͞ΕΔͷ͔
    ͋͘·Ͱ΋%/4ͷ࢓༷Ͳ͓ΓͰ͋Δ
    %/4ͷ੬ऑੑΛͭ͘Α͏ͳ߈ܸͰ͸ͳ͍
    ʜͰ͸ɺͲ͏ͨ͠Βʁ

    View full-size slide

  48. 51
    %/4ϦόΠϯσΟϯά·ͱΊ
    %/4ͷ࢓༷Λѱ༻ͨ͠߈ܸख๏Ͱ͢
    ϗετ໊͸ม͑ͣɺ*1ΞυϨεΛ࠮শ͞ΕΔ߈ܸͰ͢
    ϦόΠϯσΟϯάޙʹϓϥΠϕʔτωοτϫʔΫͷ*1ΞυϨε౳Λࢦఆ͞ΕΔ
    ͜ͱͰɺϑΝΠΞ΢Υʔϧ಺ͷϓϥΠϕʔτωοτϫʔΫ΋߈ܸର৅ͱͳΓ·
    ͢ʢࠓճͷΑ͏ʹΠϯλʔωοτ্ͷαʔόΛ߈ܸ͞ΕΔͱ͍͏ͷ͸͋͘·Ͱ
    ΋Ұྫʣ

    View full-size slide

  49. 52
    5PQJD
    ActionDispatch::
    HostAuthorization
    • %/4ϦόΠϯσΟϯάͷݟഁΓํ
    • 3BJMTͷ)PTU"VUIPSJ[BUJPOͱ͸Ͳ͏͍͏΋ͷʁ
    Photo by Wolfgang Hasselmann on Unsplash

    View full-size slide

  50. 53
    %/4ϦόΠϯσΟϯάͷݟഁΓํ
    GET /login.html HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
    Host: kougeki.com
    Accept-Language: ja-JP
    ߈ܸͷಛੑ্ɺ

    View full-size slide

  51. 54
    GET /login.html HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
    Host: kougeki.com
    Accept-Language: ja-JP
    ໊લղܾͷࡍʹ࢖ΘΕͨυϝΠϯ໊͕)PTUʹهࡌ͞ΕΔ
    ߈ܸͷಛੑ্ɺ
    %/4ϦόΠϯσΟϯάͷݟഁΓํ
    ˞9.-)UUQ3FRVFTUͰ͸ɺϢʔβʹΑΔ)PTUϔομͷมߋ͸Ͱ͖ͳ͍

    View full-size slide

  52. 55
    ϦΫΤετͷ)PTUϔομͷ஋͕
    ҙਤͨ͠υϝΠϯ໊*1ΞυϨε͔Λ
    ֬ೝ͢Ε͹ྑ͍ʂ
    %/4ϦόΠϯσΟϯάͷݟഁΓํ

    View full-size slide

  53. 56
    GET /login.html HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
    Host: piyostragram.com
    Accept-Language: ja-JP
    GET /login.html HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
    Host: kougeki.com
    Accept-Language: ja-JP
    Valid Request
    Invalid Request
    %/4ϦόΠϯσΟϯάͷݟഁΓํ

    View full-size slide

  54. 57
    ͦͷͨΊʹ࣮૷͞Εͨͷ͕ɺ
    %/4ϦόΠϯσΟϯάͷݟഁΓํ

    View full-size slide

  55. 58
    https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md#rails-600beta1-january-18-2019
    ͜Ε͸ɺϦΫΤετ͕Ͱ͖ΔϗετΛ໌ࣔతʹڐՄ͢Δ͜ͱͰɺ%/4ϦόΠϯσΟϯά߈ܸΛ๷ޚ͢Δɺ
    ৽͍͠ϛυϧ΢ΣΞͰ͢ɻ
    ͦΕͧΕͷϗετ͸ DBTF PQFSBUPS
    ͰνΣοΫ͞ΕɺϗετΛڐՄ͢ΔͨΊͷ΋ͷͱͯ͠ 3FHFYQ
    1SPD *1"EES ΧελϜΦϒδΣΫτΛαϙʔτ͍ͯ͠·͢ɻ
    3BJMTͷ)PTU"VUIPSJ[BUJPOͱ͸Ͳ͏͍͏΋ͷʁ

    View full-size slide

  56. 59
    3BJMTͷ)PTU"VUIPSJ[BUJPOͱ͸Ͳ͏͍͏΋ͷʁ
    Rails.application.config.hosts = [
    IPAddr.new(“0.0.0.0/0”), # All IPv4 addresses.
    IPAddr.new(“::/0"), # All IPv6 addresses.
    “localhost” # The localhost reserved domain.
    ]
    )PTUͷڐՄϦετΛ࡞੒͢Δ

    View full-size slide

  57. 60
    3BJMTͷ)PTU"VUIPSJ[BUJPOͱ͸Ͳ͏͍͏΋ͷʁ
    σϑΥϧτͰ͸ɺڐՄϦετʹ஋͕͋Δͷ͸
    https://github.com/rails/rails/blob/6-0-stable/railties/lib/rails/application/
    configuration.rb#L34
    EFWFMPQNFOU؀ڥͷΈ
    ڐՄϦετ͕ۭ)PTUϔομ͸ݕূ͠ͳ͍

    View full-size slide

  58. 61
    EFWFMPQNFOU؀ڥҎ֎Ͱ΋ݕূΛ༗ޮʹ͍ͨ͠৔߹͸ʜ
    # config/environments/#{environment}.rb
    Rails.application.config.hosts = [
    “yucao24hours.me" # Add hostname you’d like to pass
    ]
    3BJMTͷ)PTU"VUIPSJ[BUJPOͱ͸Ͳ͏͍͏΋ͷʁ

    View full-size slide

  59. 62
    3BJMTͷ)PTU"VUIPSJ[BUJPOͱ͸Ͳ͏͍͏΋ͷʁ
    https://github.com/rails/rails/blob/6-0-stable/actionpack/lib/action_dispatch/
    middleware/host_authorization.rb#L22-L30
    ڐՄϦετ
    ϦΫΤετϔομͷ஋

    )PTU 9'PSXBSEFE)PTU

    ൑ఆ෦෼ͷϝιουͷ࣮૷ΛݟͯΈΔ

    View full-size slide

  60. 63
    3BJMTͷ)PTU"VUIPSJ[BUJPOͱ͸Ͳ͏͍͏΋ͷʁ
    https://github.com/rails/rails/blob/6-0-stable/actionpack/lib/action_dispatch/
    middleware/host_authorization.rb#L56-L67
    Λฦ͢
    ൑ఆ෦෼ͷϝιουͷ࣮૷ΛݟͯΈΔ

    View full-size slide

  61. 64
    3BJMTͷ)PTU"VUIPSJ[BUJPOͱ͸Ͳ͏͍͏΋ͷʁ
    Rails.application.config.hosts << IPAddr.new(“10.0.0.1/8”)
    IPAddr
    Rails.application.config.hosts << /.*\.example\.com/
    RegExp
    Rails.application.config.hosts << "yucao24hours.me"
    String

    View full-size slide

  62. 65
    3BJMTͷ)PTU"VUIPSJ[BUJPOͱ͸Ͳ͏͍͏΋ͷʁ
    υοτ͔Β࢝·Δ4USJOHͰαϒυϝΠϯΛڐՄ͢Δ
    Rails.application.config.hosts << “.example.com"
    https://github.com/rails/rails/blob/6-0-stable/actionpack/lib/action_dispatch/
    middleware/host_authorization.rb#L47-L53

    View full-size slide

  63. 66
    3BJMTͷ)PTU"VUIPSJ[BUJPOͱ͸Ͳ͏͍͏΋ͷʁ
    τϥϒϧใࠂ
    "84&-#"-#͔Β3BJMTΞϓϦ΁ͷIFBMUIDIFDLϦΫΤετ࣌ɺ)PTUϔομ͕
    ڐՄϦετʹ͋Δ΋ͷͰ͸ͳ͔ͬͨͨΊɺʹͳͬͯ͠·ͬͨ
    %PDLFS%FTLUPQGPS.BDͷIPTUEPDLFSJOUFSOBMΛ࢖͍͕ͬͯͨɺڐՄϦετʹೖ
    Ε͍ͯͳ͔ͬͨͨΊʹͳͬͯ͠·ͬͨ
    ʹ઀ଓ͢ΔࡍʹMWINFΛ࢖͍͕ͬͯͨɺڐՄϦετʹೖΕ͍ͯͳ͔
    ͬͨͨΊʹͳͬͯ͠·ͬͨ
    66

    View full-size slide

  64. 67
    3BJMTͷ)PTU"VUIPSJ[BUJPOͱ͸Ͳ͏͍͏΋ͷʁ
    طʹϦόʔεϓϩΩγ౳Ͱ
    )PTUϔομͷݕূΛ͍ͯ͠ΔͳΒ
    Θ͟Θ͟ڐՄϦετΛઃఆ͢Δඞཁ͸ͳ͍
    67

    View full-size slide

  65. 68
    3BJMTͷ)PTU"VUIPSJ[BUJPOͱ͸Ͳ͏͍͏΋ͷʁ
    ҆қʹڐՄϦετΛۭʹͤͣɺ
    ࣗ͝਎ͷαʔϏεߏ੒ʹ͋Θͤͯ
    ରԠ͠·͠ΐ͏
    68

    View full-size slide

  66. 69
    )PTU"VUIPSJ[BUJPO·ͱΊ
    3BJMT͔Βಋೖ͞Ε·ͨ͠
    ڐՄϦετʹͳ͍υϝΠϯ໊͕ )PTU 9'PSXBSEFE)PTU ϔομʹؚ·Ε
    ͍ͯΔϦΫΤετʹ͸ɺσϑΥϧτͰ͸Λฦ͠·͢
    ͨͩ͠ڐՄϦετ͕ۭͰ͋Ε͹ϔομͷݕূ͸͠·ͤΜʢࠓ·Ͱͱಈ࡞͸
    มΘΓ·ͤΜʣ
    ࣗαʔϏεͷߏ੒ʹ͋Θͤͯઃఆ͠·͠ΐ͏

    View full-size slide

  67. 75
    参考文献
    DNS がよくわかる教科書 (SB クリエイティブ)
    https://www.sbcr.jp/product/4797394481/
    【インターネットとは】 1-2. ドメイン名とIPアドレス ~ドメイン名~ (JPNIC)
    https://youtu.be/l2XZBjOEK2w
    ドメイン名のしくみ - JPNIC
    https://www.nic.ad.jp/ja/dom/system.html
    浸透いうな!
    http://www.e-ontap.com/dns/propagation/
    DNS浸透の都市伝説を斬る ~ランチのおともにDNS~
    https://jprs.jp/tech/material/iw2011-lunch-L1-01.pdf
    DNS のきほん

    View full-size slide

  68. 76
    参考文献
    DNS rebinding attack の対策と考察
    https://dnsops.jp/bof/20071119/dnsrebinding-20071119.pdf
    Protecting Browsers from DNS Rebinding Attacks
    https://crypto.stanford.edu/dns/
    DNS Rebinding ~今日の用語特別版~ | 徳丸浩の日記
    https://blog.tokumaru.org/2007/11/dns-rebinding.html
    DNS リバインディング

    View full-size slide

  69. 77
    参考文献
    Guard against DNS rebinding attacks by permitting hosts by gsamokovarov · Pull Request #33145
    · rails/rails
    https://github.com/rails/rails/pull/33145/
    #3397 ([PATCH] CgiRequest returns incorrect host name in event of multiple proxies) - Rails
    Trac - Trac
    https://web.archive.org/web/20100618053001/http://dev.rubyonrails.org/ticket/3397
    X-Forwarded-Host - HTTP | MDN
    https://developer.mozilla.org/ja/docs/Web/HTTP/Headers/X-Forwarded-Host
    ターゲットグループのヘルスチェック - Elastic Load Balancing
    https://docs.aws.amazon.com/ja_jp/elasticloadbalancing/latest/network/target-group-health-
    checks.html
    Application Load Balancer のヘルスチェック失敗のトラブルシューティング
    https://aws.amazon.com/jp/premiumsupport/knowledge-center/elb-fix-failing-health-checks-alb/
    ActionDispatch::HostAuthorization(1/2)

    View full-size slide

  70. 78
    参考文献
    Practical Web Cache Poisoning | PortSwigger Research
    https://portswigger.net/research/practical-web-cache-poisoning
    How to Configure Symfony to Work behind a Load Balancer or a Reverse Proxy (Symfony Docs)
    https://symfony.com/doc/current/deployment/proxies.html
    ActionDispatch::HostAuthorization(2/2)

    View full-size slide