Litcius/Paper detail

Container Orchestration Honeypot: Observing Attacks in the Wild

Noah Spahn, Nils Hanke, Thorsten Holz, Christopher Kruegel, Giovanni Vigna

202313 citationsDOIOpen Access PDF

Abstract

Containers, a mechanism to package software and its dependencies into a single artifact, have helped fuel the rapid pace of technological advancements in the last few years. However, it is not always clear what the potential security risk of moving to the cloud and container-based technologies is. In this paper, we investigate exposed container orchestration services on the Internet: how many there are, and the attacks against them. We considered three groups of container-based software: Docker, Kubernetes, and workflow tools. In a measurement study, we scanned the Internet to identify vulnerable container and container-orchestration services running on default ports. Considering the scan data, we then designed a high-interaction honeypot to reveal where attackers tend to strike and what is being done against exposed instances. The honeypot is based on container orchestration tools installed on Ubuntu servers, behind a carefully constructed gateway, and using the default ports. Our honeypot attracted attackers within minutes of launch. In total, we collected 94 days of attack data and extracted associated indicators of compromise (IOCs), which are provided to the research community to enable further insights.

Topics & Concepts

HoneypotContainer (type theory)OrchestrationComputer scienceCloud computingComputer securityThe InternetServerSoftwareWorkflowArtifact (error)AdversaryOperating systemDatabaseEngineeringVisual artsComputer visionMechanical engineeringArtMusicalAdvanced Malware Detection TechniquesNetwork Security and Intrusion DetectionSecurity and Verification in Computing