0

I have been testing a DDoS attack in my local network via docker. Each image has loaded with an "evil" DDoS file.

I tested simultaneously several containers attacking at the same time. On the image below it is possible to see 6 attacks (peaks). 1,2,3,4, 10, and 15 containers respectively running at the same time (each attack represents one peak).

What caught my attention is, the peak of the attacks has not been significantly changed by the number of containers attacking at the same time.

Why is that?

My hypothesis:

I. Dockers process are being executed not in parallel but in a serialized way.

II. Or, the saturation of packets sent on the gateway is already reached by the first container. Therefore doesn't make a difference in running more containers.

What do you guys think?

Wireshark packets analysis

Gabriel Cardoso
  • 1

1 Answers1

0

Maxing out after 2 containers is not a great indication for scaling out to many processes. Not enough information to tell why that is, performance bottlenecks could the application, the network stack, or the hardware. For example, the clients could have polite behavior of waiting for application level responses, rather then push requests as fast as possible.

Find out how many packets per second these can do with the simplest possible application. iperf is a classic tool for this kind of maximum bandwidth test. Significantly higher PPS would indicate a bottleneck closer to the application than the network stack.

Regarding the point of this exercise, a distributed denial of service cannot be easily simulated with (presumably) one physical host. Usually the objective is a volume attack, many hosts sending far more application requests or raw packets than your infrastructure can handle. Or from so many IP addresses source blocking is not feasible.

However, even a relatively small attack from just a few hosts can in theory still bog down a service. Depends on the application and the resources of the server it runs on.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32