| The original Labrea Tarpit avoids DOS'ing it's own conntrack table somehow, too; LaBrea.py: https://github.com/dhoelzer/ShowMeThePackets/blob/master/Sca... La Brea Tar Pits and museum: https://en.wikipedia.org/wiki/La_Brea_Tar_Pits The NERDctl readme says: https://github.com/containerd/nerdctl : > Supports rootless mode, without slirp overhead (bypass4netns) How does that work, though? (And unfortunately podman replaced slirp4netns with pasta from psst.) rootless-containers/bypass4netns:
https://github.com/rootless-containers/bypass4netns/ : > [Experimental] Accelerates slirp4netns using SECCOMP_IOCTL_NOTIF_ADDFD. As fast as `--net=host` Which is good, because --net=host with rootless containers is security inadvisable FWIU. "bypass4netns: Accelerating TCP/IP Communications in Rootless Containers" (2023) https://arxiv.org/abs/2402.00365 : > bypass4netns uses sockets allocated on the host. It switches sockets in containers to the host's sockets by intercepting syscalls and injecting the file descriptors using Seccomp. Our method with Seccomp can handle statically linked applications that previous works could not handle. Also, we propose high-performance rootless multi-node communication. We confirmed that rootless containers with bypass4netns achieve more than 30x faster throughput than rootless containers without it RunCVM, Kata containers, GVisor all have a better host/guest boundary than rootful or rootless containers; which is probably better for honeypot research on a different subnet. IIRC there are various utilities for monitoring and diffing VMs, for honeypot research. There could be a list of expected syscalls. If the simulated workload can be exhaustively enumerated, the expected syscalls are known ahead of time and so anomaly detection should be easier. "Oh, like Ghostbusters." |