A Mutation-Enabled Proactive Defense Against Service-Oriented Man-in-The-Middle Attack in Kubernetes

Kubernetes (K8s) has become a core technology for cloud-native applications. However, a design flaw of the external IP in K8s leads to the service-oriented man-in-the-middle attack. Existing solutions (e.g., script monitor) attempt to address it passively, which allows attackers enough analysis time to bypass these static rule reviews. Differently, we propose a mutation-enabled proactive defense mechanism, aiming to change the asymmetry between attackers and defenders. It involves the address mutation (i.e., network identification) module and the connection ID (i.e., communication identification) mutation module. In the former module, we analyze mutation constraints and prove the corresponding mutation grouping problem to be NP-hard. Then, a maximally coloring-driven mutation grouping algorithm is developed. Since the address allocation time grows linearly with the service size, we design a prefetched address allocation algorithm. After designing the interaction flow between modules, we present a randomized algorithm in the latter module. Thus our mechanism does not affect methods oriented to other attacks. Eventually, it can continuously interrupt the attack and keep the service connection by incrementally updating K8s and the transport layer protocol. Experiments in the Alibaba cloud demonstrate that it can effectively defend against the attack with an acceptable performance loss.

Automated summary

Kubernetes (K8s) is crucial for cloud-native applications, but its flawed external IP design leads to service-oriented man-in-the-middle attacks. We propose a mutation-enabled proactive defense mechanism to address this issue by changing the asymmetry between attackers and defenders. Experimental results show that our mechanism can effectively defend against the attack while maintaining service connectivity.