Docker is widely accepted, more than 25% of companies have already adopted Docker. The market size of Docker is projected to grow 993 million USD by 2024. Still, there are many known security threats that Docker faces, this article will expose some well-known, common, and avoidable security threats and their possible solutions.
Before moving forward, you should be familiar with Containerization Technology, Docker Containers, its framework, and the existing Security Mechanisms in Docker.
Understanding the Docker Containers.
Deep dive into the framework and working of Docker containers.
Prerequisites are covered in the above article 😄, I highly recommend reading it first for proper understanding.
Even though the Docker containers provide great efficiencies and higher scalability over other virtualization technologies, it’s still an immature technology that is finding its ways to cope up with its flaws.
1. Vulnerable Docker Images
Docker has 3 modules that work independently of each other but in collaboration, exposures in these modules directly affect the security of the Docker containers or even the host. The major source of these exposures is the Images uploaded to the Docker hub repositories. Most of the Docker Images come with pre-installed applications, these applications might not be configured properly leaving loose ends in the system which can be leveraged to initiate an attack on the docker container or the host itself leading to a major data leak hijacking the host itself.
2. Malicious Docker Images
Docker Image developer may deliberately upload a malicious Image to Docker Hub with a cryptocurrency miner or with virus programs like Trojan, backdoor, web shell, ransomware, etc. Running these containers will automatically trigger these programs and you won’t even notice their presence. A cryptocurrency miner might keep working in the background of your container, eating up all the system resources like CPU cycles and bandwidth, the attacker will end up making a lot of money thanks to YOU 😢.
Malicious Docker Cryptomining Images Rack Up 20M Downloads
Publicly available cloud images are spreading Monero-mining malware to unsuspecting cloud developers. At least 30…
3. Container Escape Attack
The docker containers use kernel sharing to reduce the performance cost of virtualization. Leveraging some exposures present in the Image, the processes running in a container can escape to the host computer system, achieving privilege escalation. This is known as an ‘escape attack’, running the container with root user privileges will encourage these kind of attacks. Once the process escapes to the host with root access it can have control over the complete filesystem taking down the host or leaking all valuable info.
4. Sensitive Information Leakage
Sensitive information leakage is a very severe problem for Docker containers, If authentication API or database passwords are leaked somehow from the container then it will affect the complete system. There are cases where unnecessary credentials are left in the images, these creds are not needed for the working of the container but were used for building the Image.
5. Network Mode Security
Docker has 4 types of Network Modes — none, host, container, and bridge.
None: In none mode, a Docker container has its own independent network namespace and none of the network settings has been specified.
Host: In host mode, containers and the host share the network namespace, using the same IP and ports. Containers are privileged to modify network stack information of the host computer, so the NAT is not needed for communication. But, unknowingly we may end up allowing an untrusted container to maliciously modify the network stack information.
Container Mode: In container mode, containers can be assigned to a specific network namespace of other containers. But still, as namespaces are being shared modification of network stack by an untrusted container still exists.
Bridge Mode: In bridge mode, Docker containers use the host computer’s port to communicate, this is the commonly used practice. A virtual network is set up on the host computer to complete the package forwarding between different network interfaces. In the default setting, the virtual bridge won’t check or filter the forwarding packages, and thus ARP cheating or MAC flooding attack can easily succeed.
If the image deployed is malicious then it may open a port for the attacker to initiate an attack over the container, or may eat up bandwidth and also leak sensitive information, It’s important to restrict untrusted or maliciously known domains and IP addresses communicating with our containers.
Solutions and Good Practices 😺 !!
As being an immature technology it contains some problems which are needed to overcome to enjoy the full potential of docker technology. So to deal with it there are best practices to be followed and some external apps and services to improve the security of the containers.
- Always try to go for the OFFICIAL DOCKER IMAGES, official images are verified images published by the technology maintainer or developer itself.
- Docker even has a “Trusted Content” feature which lets you download signed images only. This won’t guarantee 100% security but is good to have this additional layer of security.
- Never deploy containers on the system having root privileges, always assign the container with the minimum privileges required for its functioning. You can create a non-root user having minimal privileges to perform the assigned task by running container. This will reduce the chances of container escape attacks .
- Avoid leaking Sensitive Information  into Docker Image itself, SSH keys are sometimes needed to pull code or initiate some intermediate process needed to create the Image itself, these credentials are not necessary for the final developed image itself. But it may happen that these credentials are still lurking somewhere in the image and might be exploited. Instead of adding them directly in Dockerfile, Multi-Stage Builds must be used. By leveraging Docker support for multi-stage builds these credentials can be managed at an intermediate Image layer and later disposed of leaving no traces. Also declare all the sensitive files in
.dockerignoreto ignore them.
- Secrets must be managed properly in docker containers to avoid sensitive data leaks.
Refer to this official document for best practices of handling secrets.
- Use of a Vulnerable Docker Image  posing severe threat on the system can be avoided by understanding the underlying exposures in the docker images CVE ( Common Vulnerabilities and Exposure) database can be used. This is a very famous, regularly updated database containing widely known exposures with a unique ID and detailed description.
Refer to this official document for vulnerability scanning your image.
- Check for Malicious Docker Images  before deploying by scanning the image for malicious files or programs, ClamAV malicious library it is one of the most popular malicious databases which is timely updated with more than 6 million kinds of malicious files can be used for scanning your Images.
- Monitor your Network Activity for calls from maliciously IP addresses or domains to prevent Network related Attacks . If the domain names or IP addresses, the container will be communicating with are already known then you can set up firewall service which will block all other domain to the container.
Refer to this official document for implementing IP tables.
- Monitor the resource usage of each deployed container and if any container is exploiting the resources provided then that container must be taken down or it will lead to a DoS (denial of service) attack. DoS attacks can be effectively controlled with cgroups.
Refer to this official document for implementing resource constraints.
What is DoS ?
A Denial-of-Service (DoS) attack is meant to shut down a machine or network, making it inaccessible to its intended users. There are multiple ways where the bandwidth is flooded with multiple systems by which the genuine users suffer, or by consuming lots of system resources making the system suffocate and shut itself down.
These are the most common threats to the docker containers and also there are many ways available using which you can detect threats. Similarly, the detected threats can be solved in multiple ways too.