We find a docker security issue to fill up nf_conntrack_table of host network namespace in Linux Kernel and causing DoS attack in the Azure AKS environment.
Reproduction steps:
1.Follow the AKS tutorial to set up AKS clusters. We use one Virtual Machine with 8G memory, 120G SSD Disk, linux 5.4.0-1043-azure OS, Kubernetes Version V1.18.14 and Docker Version 19.3.14, to set the Azure Kubernetes Cluster. All those settings are done through by Azure Kubernetes UI.
2.Deploy two docker unprivileged malicious containers with UID 1000, they both dropping all capabilities, using limited memory 2G, running on special core and disable privilege escalation. We run malicious containers with its own network namespace, besides, we run those malicious containers in a separate Kubernetes Namespace.
3.We use three malicious containers to make multiple short TCP connections with a container running a simple nginx service. As a result, the host’s nf_conntrack_table will be filled up, causing random packet dropping.
Is there any way to defend against this attack inside Azure AKS environment? Looking forward to your reply!