(Theoretical view) In a DDoS attack via docker, no correlation found between the amount of sent packets and the number of virtualized containers

Gabriel Cardoso

6/26/23, 12:53 PM

I have been testing a DDoS attack in my local network via docker. Each image has loaded with an "evil" DDoS file.

I tested simultaneously several containers attacking at the same time. On the image below it is possible to see 6 attacks (peaks). 1,2,3,4, 10, and 15 containers respectively running at the same time (each attack represents one peak).

What caught my attention is, the peak of the attacks has not been significantly changed by the number of containers attacking at the same time.

Why is that?

My hypothesis:

I. Dockers process are being executed not in parallel but in a serialized way.

II. Or, the saturation of packets sent on the gateway is already reached by the first container. Therefore doesn't make a difference in running more containers.

What do you guys think?

Wireshark packets analysis

0 + 0

localhost

ddos

docker

Score:0

Server

John Mahowald

6/28/23, 2:16 AM

Maxing out after 2 containers is not a great indication for scaling out to many processes. Not enough information to tell why that is, performance bottlenecks could the application, the network stack, or the hardware. For example, the clients could have polite behavior of waiting for application level responses, rather then push requests as fast as possible.

Find out how many packets per second these can do with the simplest possible application. iperf is a classic tool for this kind of maximum bandwidth test. Significantly higher PPS would indicate a bottleneck closer to the application than the network stack.

Regarding the point of this exercise, a distributed denial of service cannot be easily simulated with (presumably) one physical host. Usually the objective is a volume attack, many hosts sending far more application requests or raw packets than your infrastructure can handle. Or from so many IP addresses source blocking is not feasible.

However, even a relatively small attack from just a few hosts can in theory still bog down a service. Depends on the application and the resources of the server it runs on.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: (Theoretical view) In a DDoS attack via docker, no correlation found between the amount of sent packets and the number of virtualized containers

TH: (มุมมองทางทฤษฎี) ในการโจมตี DDoS ผ่านนักเทียบท่า ไม่พบความสัมพันธ์ระหว่างจำนวนแพ็กเก็ตที่ส่งและจำนวนคอนเทนเนอร์เสมือน

RO: (Vedere teoretică) Într-un atac DDoS prin docker, nu s-a găsit nicio corelație între cantitatea de pachete trimise și numărul de containere virtualizate

RU: (Теоретический взгляд) При DDoS-атаке через докер не обнаружено корреляции между количеством отправленных пакетов и количеством виртуализированных контейнеров

VI: (Chế độ xem lý thuyết) Trong một cuộc tấn công DDoS thông qua docker, không tìm thấy mối tương quan nào giữa số lượng gói đã gửi và số lượng vùng chứa ảo hóa

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.