question

NanziYang-4736 avatar image
0 Votes"
NanziYang-4736 asked NanziYang-4736 answered

A docker security issue about nf_conntrack_table to make DoS attack in the Azure AKS environment.

We find a docker security issue to fill up nf_conntrack_table of host network namespace in Linux Kernel and causing DoS attack in the Azure AKS environment.
Reproduction steps:
1.Follow the AKS tutorial to set up AKS clusters. We use one Virtual Machine with 8G memory, 120G SSD Disk, linux 5.4.0-1043-azure OS, Kubernetes Version V1.18.14 and Docker Version 19.3.14, to set the Azure Kubernetes Cluster. All those settings are done through by Azure Kubernetes UI.
2.Deploy two docker unprivileged malicious containers with UID 1000, they both dropping all capabilities, using limited memory 2G, running on special core and disable privilege escalation. We run malicious containers with its own network namespace, besides, we run those malicious containers in a separate Kubernetes Namespace.
3.We use three malicious containers to make multiple short TCP connections with a container running a simple nginx service. As a result, the host’s nf_conntrack_table will be filled up, causing random packet dropping.
Is there any way to defend against this attack inside Azure AKS environment? Looking forward to your reply!

azure-kubernetes-service
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am currently investigating and will get back to you soon.

0 Votes 0 ·

1 Answer

NanziYang-4736 avatar image
0 Votes"
NanziYang-4736 answered

@karishmatiwari-msft Hello Karishmatiwari! I submitted my concern about the Azure AKS environment about two months ago, is there any new developments on this issue? Is it a real issue that exists in the Azure AKS environment? Looking forward to your reply!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.