Docker's Security Analysis of Using Control Group to Enhance Container Resistance to Pressure

Docker is a container technology to create lightweight virtual system framework in the cloud computing environment. Massive users exploit it on systems of Linux, Mac, and Windows to simplify configuration or test large-scale operations and isolate applications. However, considering the security of Docker container, Distributed Denial of Service (DDoS) attacks have been a severe problem which needs to be solved. Therefore, this paper aims to analyze the compressive ability of Docker container and reduce the influence of DDoS by using Control group (Cgroup). Furthermore, an experiment will be designed to detect the effects of Cgroup under three kinds of pressure: run out Central Process Unit (CPU), run out bandwidth and DDoS attack. In addition, limiting CPU, limiting Network (Net) I/O and limiting both of them will be considered as the method to use Cgroup to restrict containers' resources. In a result, it is shown that the attacks would be limited in a certain scope after restricting the resources of containers by Cgroup. Therefore, the method of imposing restrictions on CPU and Net I/O resources of Docker containers by using Cgroup can effectively reduce the impact of DDoS attacks.

[1]  Xin Huang,et al.  Evaluation of Several Denial of Service Attack Methods for IoT System , 2018, 2018 9th International Conference on Information Technology in Medicine and Education (ITME).

[2]  Tao Lu,et al.  Research of Penetration Testing Technology in Docker Environment , 2017 .

[3]  Roberto Di Pietro,et al.  Docker ecosystem - Vulnerability Analysis , 2018, Comput. Commun..

[4]  Shakil Akhtar,et al.  Docker container security via heuristics-based multilateral security-conceptual and pragmatic study , 2016, 2016 International Conference on Circuit, Power and Computing Technologies (ICCPCT).

[5]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[6]  Xin Huang,et al.  Model Checking Denial-of-Service Attack Against IEEE 802.15.6 Protocol , 2018, 2018 9th International Conference on Information Technology in Medicine and Education (ITME).

[7]  Guillaume Pierre,et al.  Docker Container Deployment in Fog Computing Infrastructures , 2018, 2018 IEEE International Conference on Edge Computing (EDGE).

[8]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[9]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.