开发者社区 问答 正文

A security issue can make a DoS attack in the ASM.

We find a docker security issue to exhaust all struct files in Linux Kernel and causing a DoS attack in the Alibaba ASM environment.

Reproduction steps:

  1. Follow the ASM tutorial to set up ASM clusters. We use two Virtual Machine with 16G memory, 120G ESSD Disk, CentOS 7.7 OS, Kubernetes Version V1.18.8-aliyun.1, and Docker Version 19.3.5, to set the Alibaba Kubernetes Cluster. All those settings are done through Alibaba ASM UI.
  2. Deploy the docker unprivileged malicious container with UID 1000, dropping all capabilities, using limited memory 4G, running on special core, and disable privilege escalation. We run the malicious container in a separate Kubernetes Namespace.
  3. Inside the malicious container, we repeatedly make the timerfd_create/open syscalls. In the malicious container, we start 2100 processes, each process with a 1024 max number of open files, which is the default ulimit value. In total, around 2097152 number struct-file are consumed and there is no available struct-file in the kernel. As a result, the victim container can't create any new files. The total consumed memory of the malicious container is less than 4G, which is small, so the memory control group cannot help.

Is there any way to defend against this attack inside the Alibaba ASM environment? Looking forward to your reply!

展开
收起
游客y22wf6xkdpy2s 2021-04-20 20:18:57 399 分享 版权
阿里云 AI 助理回答

The security issue you've described involves a Denial of Service (DoS) attack through exhaustion of struct file resources in the Linux kernel, leveraging Docker containers within the Alibaba Cloud Container Service for Kubernetes (ACK) managed by Alibaba Cloud Application Service Mesh (ASM). To mitigate such an attack within the ASM environment, consider implementing the following strategies:

  1. Resource Quotas and Limit Ranges: In Kubernetes, you can define Resource Quotas at the namespace level to limit the aggregate resource consumption, including the number of pods and other resources. Although this doesn't directly limit the number of open files per pod, it can help prevent the scale of the attack by limiting the total number of pods that can be created in a namespace.

  2. Pod Security Policies (DEPRECATED): While Pod Security Policies (PSP) have been deprecated in favor of Pod Security Admission, if your cluster still supports PSP, you could create policies to restrict capabilities like the ability to run processes with high resource usage or specific syscalls. However, note that you should start transitioning to Pod Security Admission Controller as PSP is no longer recommended.

  3. Pod Security Admission: This is the recommended approach replacing Pod Security Policies. Configure Pod Security Admission settings to enforce restrictions on what types of pods are allowed to run. You can set rules to disallow or limit certain behaviors, such as running privileged containers, using host namespaces, or making specific system calls.

  4. Seccomp (Secure Computing Mode): Seccomp allows you to filter out potentially dangerous syscalls made by containers. By default, Docker uses a default profile that blocks some dangerous syscalls. You can customize a seccomp profile to specifically block timerfd_create and open syscalls or any others deemed risky for this type of attack.

  5. Namespace Resource Limits: Investigate if there's a way to set ulimits at the namespace level or container level more granularly than the default, to restrict the maximum number of open files per process. This would directly address the exploit vector you've outlined.

  6. Kubernetes Event Monitoring and Alerting: Enhance monitoring and alerting around Kubernetes events, especially those related to resource utilization and pod creation, to quickly detect abnormal behavior that might indicate an ongoing attack.

  7. Intrusion Detection/Prevention Systems (IDS/IPS): Consider deploying an IDS/IPS solution that integrates with your Kubernetes cluster to monitor and block malicious activity, including unusual syscall patterns.

  8. Regular Updates and Patches: Ensure your Kubernetes cluster, Docker, and all components are regularly updated to the latest stable versions, which often include security patches addressing known vulnerabilities.

Given the complexity and potential impact of the described attack, it's advisable to engage with Alibaba Cloud support directly to discuss these mitigation strategies and possibly receive guidance on additional safeguards specific to the ASM environment. They may also be able to provide insights into upcoming features or configurations that could further harden your setup against such attacks.

有帮助
无帮助
AI 助理回答生成答案可能存在不准确,仅供参考
0 条回答
写回答
取消 提交回答