How to catch a cryptominer on your Kubernetes infra (opens in new tab)

(blog.kubecost.com)

17 pointswebb6y ago3 comments

3 comments

I think it's a bit disappointing how unsophisticated these cryptominer attackers are. If you have the ability to spawn arbitrary Docker containers, you can get root privileges on the host -- which would make tools like this one (which as far as I can tell only measures container network traffic) useless.

The real solution is to stop exposing access to Docker (or Kubernetes without any RBAC rules) to the open internet.

webbOP6y ago

I agree that appropriate configuration/policy management is part of the solution for preventing these attacks on Kubernetes, but our view is that monitoring also plays an important role.

cyphar6y ago

I should've said "limited in usefulness for detecting moderately-clever attackers" rather than just flat-out "useless". Monitoring is obviously a useful tool regardless of whether it will always help you detect attackers in your network. You could use nf_conntrack on the host as well but that could also be bypassed by a root process on the host.

j / k navigate · click thread line to collapse

3 comments

cyphar6y ago

The real solution is to stop exposing access to Docker (or Kubernetes without any RBAC rules) to the open internet.

webbOP6y ago

I agree that appropriate configuration/policy management is part of the solution for preventing these attacks on Kubernetes, but our view is that monitoring also plays an important role.

cyphar6y ago

j / k navigate · click thread line to collapse