TY - GEN
T1 - Docker's security analysis of using control group to enhance container resistance to pressure
AU - Yang, Tianshuo
AU - Luo, Zhongxuan
AU - Shen, Zheliang
AU - Zhong, Yican
AU - Huang, Xin
N1 - Publisher Copyright:
© 2019 IEEE.
PY - 2019/8
Y1 - 2019/8
N2 - Docker is a container technology to create lightweight virtual system framework in the cloud computing environment. Massive users exploit it on systems of Linux, Mac, and Windows to simplify configuration or test large-scale operations and isolate applications. However, considering the security of Docker container, Distributed Denial of Service (DDoS) attacks have been a severe problem which needs to be solved. Therefore, this paper aims to analyze the compressive ability of Docker container and reduce the influence of DDoS by using Control group (Cgroup). Furthermore, an experiment will be designed to detect the effects of Cgroup under three kinds of pressure: run out Central Process Unit (CPU), run out bandwidth and DDoS attack. In addition, limiting CPU, limiting Network (Net) I/O and limiting both of them will be considered as the method to use Cgroup to restrict containers' resources. In a result, it is shown that the attacks would be limited in a certain scope after restricting the resources of containers by Cgroup. Therefore, the method of imposing restrictions on CPU and Net I/O resources of Docker containers by using Cgroup can effectively reduce the impact of DDoS attacks.
AB - Docker is a container technology to create lightweight virtual system framework in the cloud computing environment. Massive users exploit it on systems of Linux, Mac, and Windows to simplify configuration or test large-scale operations and isolate applications. However, considering the security of Docker container, Distributed Denial of Service (DDoS) attacks have been a severe problem which needs to be solved. Therefore, this paper aims to analyze the compressive ability of Docker container and reduce the influence of DDoS by using Control group (Cgroup). Furthermore, an experiment will be designed to detect the effects of Cgroup under three kinds of pressure: run out Central Process Unit (CPU), run out bandwidth and DDoS attack. In addition, limiting CPU, limiting Network (Net) I/O and limiting both of them will be considered as the method to use Cgroup to restrict containers' resources. In a result, it is shown that the attacks would be limited in a certain scope after restricting the resources of containers by Cgroup. Therefore, the method of imposing restrictions on CPU and Net I/O resources of Docker containers by using Cgroup can effectively reduce the impact of DDoS attacks.
KW - Control Groups
KW - DDoS
KW - Docker
KW - Security
UR - http://www.scopus.com/inward/record.url?scp=85079320915&partnerID=8YFLogxK
U2 - 10.1109/ITME.2019.00151
DO - 10.1109/ITME.2019.00151
M3 - Conference Proceeding
AN - SCOPUS:85079320915
T3 - Proceedings - 10th International Conference on Information Technology in Medicine and Education, ITME 2019
SP - 655
EP - 660
BT - Proceedings - 10th International Conference on Information Technology in Medicine and Education, ITME 2019
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 10th International Conference on Information Technology in Medicine and Education, ITME 2019
Y2 - 23 August 2019 through 25 August 2019
ER -