DDoS Attacks in a Kubernetes Environment: Detection and Mitigation

By Giri Radhakrishnan [ Join Cybersecurity Insiders ]

By Giri Radhakrishnan, Technical Product Marketing Manager, Tigera

Distributed Denial-of-Service (DDoS) attack techniques are evolving, creating new risks and challenges for cloud-first enterprises.

In a DDoS attack, an application or service becomes unavailable to users due to resources exceeding its capacity and causing the app to either crash or become unresponsive. Threat actors are becoming increasingly sophisticated–new DDoS attack techniques have emerged that target cloud-native and Kubernetes-based applications. Cloud-native applications are designed to scale up resources automatically (pods, CPU cycles, memory, etc.) when inbound requests spike, resulting in higher usage bills. Cybercriminals have now exploited this, generating illegitimate requests that lead to scaling resources up and down without resulting in actual business revenue. This attack method, dubbed a “yo-yo attack”, leads to revenue loss and a host of other issues for impacted organizations.

While the intent of a DDoS attack is not directly stealing money, data, or installing ransomware, any type of application downtime indirectly translates into monetary loss. Troubleshooting and mitigation efforts also result in lost productivity for IT professionals when they are already burdened with multiple security alerts.

Deploying container security solutions is critical to detecting DDoS attacks and helping to stop them before they become devastating. When it comes to container security solution capabilities to prevent and address DDoS attacks, security leaders should:

  • Use a solution that can build a baseline behavior for nodes, pods, and services with respect to the amount of traffic that is normal at any given period of time. Deviation from the baseline behavior could inform the user about a potential DDoS attack.
  • Use a broad set of container security tools, especially at runtime, with anomaly detection. If there is any presence of malicious activity either on the network or the container, alerting capabilities give operators quick and detailed information on potential impending threats.
  • Put strong zero-trust workload access control policies in place to restrict lateral movement should attackers gain a foothold in the environment within the Kubernetes cluster.

Although detecting a DDoS attack itself is a huge task, the job is only half done until you have the best mitigating strategies. The earlier you are able to start detecting and blocking the attack traffic, the better protected you are against application downtime. When it comes to DDoS attacks in Kubernetes, it’s important to first confirm if a basic Kubernetes Network Policy can help with responding to an attack. Bear in mind that the default Kubernetes Network Policy does not have the ability to do a few things that are critical to stopping a DDoS attack in Kubernetes.

There are two critical requirements to stop a DDoS attack when it happens: Global Network Policy and Host EndPoint (HEP) for policy enforcement. When these two are combined with a capability to define entire IP ranges or CIDR blocks, and perform XDP offloading, you can effectively stop a DDoS attack before it results in an outage or causes monetary loss.

Attackers are becoming more sophisticated with DDoS techniques, and the political landscape in war-affected regions has created an uptick in these attacks. Since applications in Kubernetes pose an equal, if not greater, security risk of DDoS attacks, organizations need new ways to detect and mitigate threats. Against this backdrop, deploying robust, comprehensive container security solutions is key.


No posts to display