
How to catch a cryptominer on your Kubernetes infra - webb
http://blog.kubecost.com/blog/network-egress-traffic-costs/
======
cyphar
I think it's a bit disappointing how unsophisticated these cryptominer
attackers are. If you have the ability to spawn arbitrary Docker containers,
you can get root privileges on the host -- which would make tools like this
one (which as far as I can tell only measures container network traffic)
useless.

The real solution is to stop exposing access to Docker (or Kubernetes without
any RBAC rules) to the open internet.

~~~
webb
I agree that appropriate configuration/policy management is part of the
solution for preventing these attacks on Kubernetes, but our view is that
monitoring also plays an important role.

~~~
cyphar
I should've said "limited in usefulness for detecting moderately-clever
attackers" rather than just flat-out "useless". Monitoring is obviously a
useful tool regardless of whether it will always help you detect attackers in
your network. You could use nf_conntrack on the host as well but that could
also be bypassed by a root process on the host.

