ãµã€ããŒæ»æã«ã¯ã©ã³ãµã ãŠã§ã¢ãªã©ã®ç¹å®ã®ã¿ãŒã²ããã察象ãšãããã®ãããã£ãã·ã³ã°è©æ¬ºãªã©äžç¹å®ãªãã®ã®ã»ããäŒæ¥ãçµç¹ã®ãŠã§ããµã€ãããµãŒããŒã«å¯ŸããŠéå°ãªã¢ã¯ã»ã¹ãããŒã¿ãéãã€ãããµãŒãã¹æåŠæ»æïŒDDoSïŒãªã©ã®ãããæ»æãªã©ããããè¿å¹Žå¢å ã®åŸåã§ãããããã¯ééçãªã³ã¹ãã ãã§ãªãã被害ã«ãã£ãããšã§ãã©ã³ãã®è©å€ã顧客ã®ä¿¡é Œã«ããã¡ãŒãžãäžããããŸãããæ Œä»ãã®äœäžã«ããã³ã¹ãå¢ãç¥ç財ç£ã®è©äŸ¡æã»æå€±ãå¶æ¥éšéã®äº€æžåäœäžãªã©ã®é ããã³ã¹ãã®å¢å ãäŒæ¥ãçµç¹ãèŠãããçµæãšãªããŸãã
è¿å¹Žå¢ãç¶ãããããæ»æ
ç¹ã«è¿å¹Žæ³šæãã¹ãã¯ãããã䜿çšããæ»æã§ããã€ã³ã¿ãŒããããã©ãã£ãã¯ã®ããã1/4ã¯æªæ§BotãšèšãããŠããŸããã¢ãã€ã«ãIoTããã€ã¹ã®æ®åããããªãã¯ã¯ã©ãŠãã§ãã¹ããããããµãŒããŒã¬ã¹ãã¢ãŒããã¯ãã£ã®å°é ããã·ã³ééä¿¡ãžã®äŸå床ã®é«ãŸãã«ãã£ãŠãç°ãªãã¢ããªã±ãŒã·ã§ã³ã»ã¢ãŒããã¯ãã£éã®éä¿¡ã容æã«ããæ¶ãæ©ãšããŠç»å ŽããAPIãçã£ããããæ»æãå¢ããŠãããçŸåš81%ã®çµç¹ãAPIã«å¯Ÿããæ»æãå ±åããŠããã12ã«æéã«75%ã®çµç¹ããããæ»æãåããŠããŸãã
ãããæ»æã«ã¯ã¢ã«ãŠã³ãã®ä¹ã£åããWebã¹ã¯ã¬ã€ãã³ã°ãã€ã³ãã³ããªæåŠæ»æãã¢ããªã±ãŒã·ã§ã³DOSæ»æãæ¯æããŒã¿æªçšãããŒã±ãã£ã³ã°åæããŒã¿ã®æ¹å€ãªã©ããããŸããæªè³ªãªããããã©ãã£ãã¯ã®å²åã¯ã©ããŠã§ã¢ã®é¡§å®¢åºç€ã§ã¯2020幎äžåæã«ã¯2019å¹Žãšæ¯èŒããŠ50%å¢å ããŠããŸãã
çŸä»£ã®ã¢ããªã±ãŒã·ã§ã³ããµãŒãã¹ã¯ãAPIã®çµ±åãšéä¿¡ã«å€§ããäŸåããŠãããAPIã¯ã¢ãŒããã¯ãã£ãšé ä¿¡ãç°¡çŽ åããããšã§ãããžãã¹ãªãã¬ãŒã·ã§ã³ã«çžä¹å¹æãšå¹çæ§ãæäŸããäžæ¹ã§ãããŸããŸãªãªã¹ã¯ãšè匱æ§ãçºçããŠããŸããAPIã¯ãå€ãã®çµç¹ã«ãšã£ãŠã¢ããªã±ãŒã·ã§ã³ã®ã»ãã¥ãªãã£ãªã¹ã¯ã®ç¬¬1äœã«ãªãã€ã€ãããŸããã¯ã©ãŠããAPIã®å¿ èŠæ§ãã»ãã¥ãªãã£ãžã®å¯èŠæ§ã®äœäžã®å¢å ã«ãããã¢ããªã¯ãŸããŸãè匱æ§ãå¢ããŠããŸãã
APIã®è匱æ§
APIã®è匱æ§ã«ã¯äž»ã«4ã€ã®èŠå ããããŸãã
ïŒ. èªèšŒã®æ¬ é¥ãšã¢ã«ãŠã³ãã®ä¹ã£åã
å€ãã®APIã¯ããªã¯ãšã¹ããæ¬ç©ã®ãŠãŒã¶ãŒããæ¥ãå ŽåãèªèšŒç¶æ ããã§ãã¯ããŸãããæ»æè ã¯ãã»ãã·ã§ã³ãã€ãžã£ãã¯ãã¢ã«ãŠã³ãã¢ã°ãªã²ãŒã·ã§ã³ãªã©ãããŸããŸãªæ¹æ³ã§ãã®ãããªæ¬ é¥ãæªçšããŠãæ¬ç©ã®APIåŒã³åºããæš¡å£ããŸããæ»æè ã¯ãAPIãã©ã®ããã«åŒã³åºãããããçºèŠããããã«ãã¢ãã€ã«ã¢ããªã±ãŒã·ã§ã³ã®ãªããŒã¹ãšã³ãžãã¢ãªã³ã°ãè¡ããŸããAPIããŒãã¢ããªã±ãŒã·ã§ã³ã«åã蟌ãŸããŠããå ŽåãAPIéåãçºçããå¯èœæ§ããããŸããAPIããŒããŠãŒã¶ãŒèªèšŒã«äœ¿çšããŠã¯ãããŸããããµã€ããŒç¯çœªè ã¯ããŠãŒã¶ãŒã¢ã«ãŠã³ããä¹ã£åãããã®ã¯ã¬ãã³ã·ã£ã«ã¹ã¿ããã£ã³ã°æ»æãè¡ããŸãã
2. å ç¢ãªæå·åã®æ¬ åŠ
å€ãã®APIã¯ãAPIã¯ã©ã€ã¢ã³ããšãµãŒããŒéã®åŒ·åºãªæå·åãæ¬ ããŠããŸããæ»æè ã¯äžéè æ»æã«ãã£ãŠè匱æ§ãæªçšããŸããæ»æè ã¯ãæå·åãããŠããªãããããã¯ä¿è·ãããŠããªãAPIãã©ã³ã¶ã¯ã·ã§ã³ãååããŠãæ©å¯æ å ±ãçãã ãããã©ã³ã¶ã¯ã·ã§ã³ããŒã¿ãæ¹ãããããããŸãããŸããã¢ãã€ã«ããã€ã¹ãã¯ã©ãŠãã·ã¹ãã ããã€ã¯ããµãŒãã¹ãã¿ãŒã³ã®ãŠããã¿ã¹ãªäœ¿çšã¯ã倿§ãªãŠã§ãã¢ããªã±ãŒã·ã§ã³éã®çžäºéçšæ§ãä¿é²ããããã«è€æ°ã®ã²ãŒããŠã§ã€ãé¢äžããŠãããããAPIã»ãã¥ãªãã£ãããã«è€éã«ããŠããŸããããããã¹ãŠã®ãã£ãã«ãæµããããŒã¿ã®æå·åãæãéèŠã§ãã
3. ããžãã¹ããžãã¯ã®è匱æ§
APIã¯ããžãã¹ããžãã¯ã®æªçšã«å¯ŸããŠè匱ã§ããããããããå°çšã®ããã管çãœãªã¥ãŒã·ã§ã³ãå¿ èŠãªçç±ã§ããããŠã§ãã¢ããªãšã¢ãã€ã«ã¢ããªã®äž¡æ¹ã«é©ããæ€åºãã¥ãŒãªã¹ãã£ãã¯ãé©çšããããšã§ãå€ãã®ãšã©ãŒãã€ãŸãåœéœæ§ãšåœé°æ§ãçºçããŠããŸãçç±ã§ãã
4. 壿ªãªãšã³ããã€ã³ãã»ãã¥ãªãã£
ã»ãšãã©ã®IoTããã€ã¹ããã€ã¯ããµãŒãã¹ããŒã«ã¯ãAPIãã£ãã«ãä»ããŠãµãŒããŒãšéä¿¡ããããã«ããã°ã©ã ãããŠããŸãããããã®ããã€ã¹ã¯ãã¯ã©ã€ã¢ã³ãèšŒææžã䜿çšããŠAPIãµãŒããŒäžã§èªå·±èªèšŒãè¡ããŸããããã«ãŒã¯IoTãšã³ããã€ã³ãããAPIãå¶åŸ¡ããããšããæåããã°APIã®é åºãç°¡åã«åã·ãŒã±ã³ã¹ããããšãã§ããçµæãšããŠããŒã¿äŸµå®³ã«ã€ãªãããŸãã
APIã«å¯Ÿãããããæ»æã®çç¶
äžèšã®ãããªèŠå ããçãããAPIã«å¯Ÿãããããæ»æã®çç¶ãšããŠã¯ã以äžã®ãããªãã®ããããŸãã
1.åäžã®HTTPãªã¯ãšã¹ãïŒåºæã®ãã©ãŠã¶ãã»ãã·ã§ã³ããŸãã¯ããã€ã¹ããã®ãã®
2.ãšã©ãŒã®çºççã®å¢å (HTTP ã¹ããŒã¿ã¹ã³ãŒã 404ãããŒã¿æ€èšŒã®å€±æãèªèšŒã®å€±æãªã©)
3.åäžã® IP ã¢ãã¬ã¹ãŸã㯠API ããŒã¯ã³ããã®éåžžã«é«ãã¢ããªã±ãŒã·ã§ã³äœ¿çšç
4.å€§èŠæš¡ã§åæ£ããIPã¢ãã¬ã¹ããã®APIå©çšãæ¥å¢
5.æ£èŠãŠãŒã¶ãŒãšæ¯èŒããŠããŠãŒã¶ãŒ/ã»ãã·ã§ã³/IPã¢ãã¬ã¹/APIããŒã¯ã³ã«å¯ŸããGET/POST/HEADããªã¯ãšã¹ãã®å²åãé«ãã
ææ°ã®ã¢ããªã±ãŒã·ã§ã³ãå®å šã«ä¿ã€ããã®èª²é¡
課é¡ïŒïŒãããã管çãã
ã©ããŠã§ã¢ã®Webã¢ããªã±ãŒã·ã§ã³ã»ãã¥ãªãã£ã¬ããŒãã«ãããšãã€ã³ã¿ãŒããããã©ãã£ãã¯ã®60%è¿ãããããçæãããŠããããã®ãã¡ã®ååã¯ãæªè³ªãªããã©ãã£ãã¯ã«èµ·å ããŠããŸããçµç¹ã¯ãããã¯ãŒã¯ã®å®¹éãå¢ããããã«æè³ãè¡ããæçµçã«ã¯æ¶ç©ºã®éèŠã«å¯Ÿå¿ããŠããŸãã人éã®ãã©ãã£ãã¯ãšãããããŒã¹ã®ãã©ãã£ãã¯ãæ£ç¢ºã«åºå¥ãããè¯ãããããïŒæ€çŽ¢ãšã³ãžã³ãäŸ¡æ Œæ¯èŒãµãŒãã¹ãªã©ïŒãšãæªããããããæ£ç¢ºã«åºå¥ããããšã§ãå€§å¹ ãªã³ã¹ãåæžãšé¡§å®¢äœéšã®åäžã«ã€ãªãããŸãã
ãããã¯äººéã®è¡åãæš¡å£ããããCAPTCHAããã®ä»ã®èª²é¡ãåé¿ãããããããšãã§ããã®ã§ãçŸåšã¯ç°¡åã«ã¯ãããªãã§ããããããã«ãåçãªIPæ»æã¯ãIPããŒã¹ã®ä¿è·ãç¡å¹ã«ããŸããã¯ã©ã€ã¢ã³ãåŽã® JavaScriptãåŠçã§ãããªãŒãã³ãœãŒã¹ã®éçºããŒã«ïŒäŸãã° Phantom JSïŒãæªçšããŠããã«ãŒããã©ãŒã¹ãã¯ã¬ãã³ã·ã£ã«ã¹ã¿ããã£ã³ã°ãDDoSããã®ä»ã®èªååããããããæ»æãè¡ãããšããããããŸãã
ããããçæãããã©ãã£ãã¯ã广çã«ç®¡çããããã«ã¯ããœãŒã¹ã®ãŠããŒã¯ãªèå¥ïŒæçŽã®ãããªãã®ïŒãå¿ èŠã«ãªããŸãããããæ»æã§ã¯è€æ°ã®ãã©ã³ã¶ã¯ã·ã§ã³ã䜿çšãããããããã£ã³ã¬ãŒããªã³ãã䜿çšããããšã§ãçµç¹ã¯çãããã¢ã¯ãã£ããã£ã远跡ããéåã¹ã³ã¢ã屿§åãã誀æ€ç¥çãæå°éã«æããäžã§ãããã¯/èš±å¯ã®å€æãäžãããšãã§ããŸãã
課é¡2: APIã®ã»ãã¥ãªãã£
å€ãã®ã¢ããªã±ãŒã·ã§ã³ã¯ãAPI ãä»ããŠå¯Ÿè©±ãããµãŒãã¹ããæ å ±ãããŒã¿ãåéããŠããŸããAPI ãä»ããŠæ©å¯ããŒã¿ã転éããå Žåã50% 以äžã®çµç¹ã§ã¯ããµã€ããŒæ»æãæ€åºããããã« API ãæ€æ»ãä¿è·ãããŠããŸãããäžè¬çãªAPIã®ãŠãŒã¹ã±ãŒã¹ãšããŠãâ IoT çµ±åâ¡ãã·ã³ééä¿¡â¢ãµãŒããŒã¬ã¹ç°å¢â£ã¢ãã€ã«ã¢ããªã±ãŒã·ã§ã³â€ã€ãã³ãããªãã³ãªã¢ããªã±ãŒã·ã§ã³ã«è匱æ§ãååšããŸãã
API ã®è匱æ§ã¯ã¢ããªã±ãŒã·ã§ã³ã®è匱æ§ãšåæ§ã§ãæ³šå ¥ããããã³ã«æ»æããã©ã¡ãŒã¿æäœãç¡å¹åããããªãã€ã¬ã¯ãããããçææ»æãªã©ããããŸããå°çšAPIã²ãŒããŠã§ã€ã¯ãAPIãä»ããŠçžäºäœçšããã¢ããªã±ãŒã·ã§ã³ãµãŒãã¹ã®çžäºéçšæ§ã確ä¿ããããã«é²åããŸãããããããHTTP ã®è§£æãã¬ã€ã€ 7 ã® ACL 管çãJSON/XML ã®ãã€ããŒãã®è§£æãšæ€èšŒãã¹ããŒãã®æœè¡ãOWASP ã®ããã 10 è匱æ§ãå®å šã«ã«ããŒãããªã©ã®å¿ èŠãªã»ãã¥ãªãã£å¶åŸ¡ãåãã WAF ãå¯èœãªãšã³ãããŒãšã³ãã®ã¢ããªã±ãŒã·ã§ã³ã»ãã¥ãªãã£ãæäŸããããšã¯ã§ããŸãããããã¯ãæ£ã®ã¢ãã«ãšè² ã®ã¢ãã«ã®äž¡æ¹ã䜿ã£ãŠãäž»èŠãª API å€ãæœåºããæ€æ»ããããšã«ãã£ãŠéæãããŸãã
課é¡3ïŒãµãŒãã¹æåŠ
DoS ã¯ãã¢ããªã±ãŒã·ã§ã³ãæ»æããã®ã«å¹ççã§ããããšãä»ã§ã蚌æãããŠããå€ãæ»æãã¯ãã«ã§ããHTTP ã HTTPS ãã©ãããããŒã¢ã³ãã¹ããŒæ»æïŒSlowLorisãLOICãTorshammerïŒããã€ããã㯠IP æ»æããããã¡ãªãŒããŒãããŒããã«ãŒããã©ãŒã¹æ»æãªã©ãã¢ããªã±ãŒã·ã§ã³ã®ãµãŒãã¹ãæ··ä¹±ããããå 害è ã«ãšã£ãŠé åçãªãã¯ããã¯ãããã€ããããŸããIoTããããããã«çœåŒãããŠãã¢ããªã±ãŒã·ã§ã³å±€æ»æãDDoSæ»æã®ãã¯ã¿ãŒãšããŠå¥œãŸããããã«ãªããŸãããã»ãšãã©ã®WAFã¯ãä¿çã§ããããªã¥ãŒã ãäžå®éãããªããããã¹ããŒããã«ããã€ã¹ãšãªã£ãŠããŸããããããHTTP/S ãã©ãã£ãã¯ãããŒãæ€æ»ãïŒäžéšã® WAF ã¯ããŒã¹ã©ã€ã³ãäœæããæªç¥ã®è åšã«å¯ŸããŠéåžžã«å¹æçïŒãæ»æãæªæã®ãã詊ã¿ãæ€åºããèœåãæã£ãŠããŸããäžåºŠæ»æãæ€åºãããã°ãåã³æ»æãäŸµå ¥ãããçç±ã¯ãããŸãããWAFã®ããã£ã²ãŒã·ã§ã³å®¹éã®å¶éãè£å®ããããã«ãæ¬¡ã®æªè³ªãªãã±ãããèªåçã«ãããã¯ãããããã«ãå°çšã®å¢çãœãªã¥ãŒã·ã§ã³ãå¿ èŠã«ãªããŸãããããå®çŸããããã«ã¯ã2ã€ã®ãœãªã¥ãŒã·ã§ã³ãçžäºã«éä¿¡ããå¿ èŠããããŸãã
課é¡4ïŒç¶ç¶çãªã»ãã¥ãªãã£
ã¢ããªã±ãŒã·ã§ã³ã¯é »ç¹ã«å€æŽãããŸããç¶ç¶çãªããªããªãªã©ã®éçºãããŒã«ã¢ãŠãã®æ¹æ³è«ã§ã¯ã人éã®ä»å ¥ãç£èŠãªãã«ã¢ããªã±ãŒã·ã§ã³ãç¶ç¶çã«ä¿®æ£ãããããšã«ãªããŸããåçãªç¶æ³ã§æ©å¯ããŒã¿ãä¿è·ããããã«æå¹ãªã»ãã¥ãªãã£ããªã·ãŒãç¶æããããšã¯ãå€ãã®èª€æ€ç¥ãèµ·ãããã«éåžžã«å°é£ã§ããã¢ãã€ã«ã¢ããªã±ãŒã·ã§ã³ã¯ããŠã§ãã¢ããªã±ãŒã·ã§ã³ã«æ¯ã¹ãŠã¯ããã«å€ãã®å€æŽãè¡ãããŠããŸãããé Œãã«ããŠãããµãŒãããŒãã£è£œã®ã¢ããªã倿Žããããšãã«ã©ããã£ãŠåããã®ã§ããããïŒ ãªã¹ã¯ãèªèããããã«ãå¯èŠæ§ãé«ããããšåªåãã人ãããŸããããããããã¯åžžã«å¯èœãªããšã§ã¯ãªããå ç¢ãªã¢ããªã±ãŒã·ã§ã³ä¿è·ã¯ãã¢ããªã±ãŒã·ã§ã³ãªãœãŒã¹ããããã³ã°ããå¯èœæ§ã®ããè åšãåæããã¢ããªã±ãŒã·ã§ã³ã«å€æŽãå ããããå Žåã«ã¯ãã€ã§ãã»ãã¥ãªãã£ããªã·ãŒãäœæããŠæé©åããæ©æ¢°åŠç¿æ©èœã掻çšããªããã°ãªããŸããã
äžèšã®èª²é¡ãå æããææ°ã®ã¢ããªã±ãŒã·ã§ã³ã®å®å šæ§ãç¶æããããã«Bot Managerã®ãã¯ãããžãŒãå©çšããŠæ£èŠã®éä¿¡ã«çŽã蟌ãã Botãã©ãã£ãã¯ããããæ»æã®æç¡ãè§£æããå¿ èŠããããŸãã
ã©ããŠã§ã¢ã¯ææ°ã®ã2020幎ã¢ããªã±ãŒã·ã§ã³ïŒAPIä¿è·ã®ããã®éèŠãªèœåãã¬ããŒã*ã«ãããŠã4ã€ã®ãŠãŒã¹ã±ãŒã¹ã®ãã¡2ã€ã®ãŠãŒã¹ã±ãŒã¹ïŒAPIã§ã¯3.57/5ããã€ã»ãã¥ãªãã£ãŠãŒã¹ã±ãŒã¹ã§ã¯3.66/5ïŒã«ãããŠæé«åŸç¹ãç²åŸããŸããã
*ã¬ãŒãããŒãã¯ã©ãŠãWebã¢ããªã±ãŒã·ã§ã³ãšAPIä¿è·ã®ããã®éèŠãªèœåããžã§ã¬ããŒã»ãã¯ã€ã³ãã¢ãã ã»ãã«ã¹ãã©ãžããªãŒãã»ã³ãŒã«ããžã§ã³ã»ã¯ããã2020幎11æ10æ¥çº
èè ïŒã©ããŠã§ã¢ ã¢ãžã¢å€ªå¹³æŽå°åã»ãŒã«ã¹æ åœãã€ã¹ã»ãã¬ãžãã³ããã€ããŽã»ãããã³