question

NanziYang-4736 avatar image
0 Votes"
NanziYang-4736 asked NanziYang-4736 answered

A docker security issue about dirty pages management to make DoS attack in the Azure AKS environment.

We find a docker security issue to generate out-of-band IO workload in Linux Kernel and causing DoS attack in the Azure AKS environment.
Reproduction steps:
1.Follow the AKS tutorial to set up AKS clusters. We use one Virtual Machine with 8G memory, 120G SSD Disk, linux 5.4.0-1043-azure OS, Kubernetes Version V1.18.14 and Docker Version 19.3.14, to set the Azure Kubernetes Cluster. All those settings are done through by Azure Kubernetes UI.
2.Deploy the docker unprivileged malicious container with UID 1000, dropping all capabilities, using limited memory 3G, limiting the I/O bandwidth of container to 1Mb/s. running on special core and disable privilege escalation. We run malicious container in a separate Kubernetes Namespace.
3.In the malicious container, we observed that the vm.dirty_backgroud_ratio is 10 and vm.dirty_ratio is 20. We start one process, writing 3G useless data to one file and delete it repeatedly. As a result, the dirty pages’ percentage on host reaches vm.dirty_ratio. In total, the I/O performance of victim container has a 84.2% downgrade. We limit the I/O bandwidth of malicious to 1Mb/s, which is small, so the blkio control group can not help. Besides, the memory usage of malicious container is approximately equal to 3G, which is small.
Is there any way to defend against this attack inside Azure AKS environment?

azure-kubernetes-service
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for sharing your concern. I am currently investigating and will get back to you soon.

0 Votes 0 ·
NanziYang-4736 avatar image
0 Votes"
NanziYang-4736 answered

@karishmatiwari-msft Hello Karishmatiwari! I have sent an email to Azure Community as you asked, but I have got no response. Have you received my email? Are there any new developments on these issues? Looking forward to your reply!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NanziYang-4736 avatar image
0 Votes"
NanziYang-4736 answered

@karishmatiwari-msft Hello Karishmatiwari! I submitted my concern about the Azure AKS environment about two months ago, is there any new developments on this issue? Is it a real issue that exists in the Azure AKS environment? Looking forward to your reply!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.