Defend against DoS attacks

Big picture

Calico automatically enforces specific types of deny-list policies at the earliest possible point in the packet processing pipeline, including offloading to NIC hardware whenever possible.

Value

During a DoS attack, a cluster can receive massive numbers of connection requests from attackers. The faster these connection requests are dropped, the less flooding and overloading to your hosts. When you define DoS mitigation rules in Calico network policy, Calico enforces the rules as efficiently as possible to minimize the impact.

Features

This how-to guide uses the following Calico features:

  • HostEndpoint(s) as the policy enforcement point
  • GlobalNetworkSet to manage deny-listed CIDRs
  • GlobalNetworkPolicy to deny ingress traffic from IPs in the global network set

Concepts

Earliest packet processing

The earliest point in the packet processing pipeline that packets can be dropped, depends on the Linux kernel version and the capabilities of the NIC driver and NIC hardware. Calico automatically uses the fastest available option.

Processed by…Used by Calico if…Performance
NIC hardwareThe NIC supports XDP offload mode.Fastest
NIC driverThe NIC driver supports XDP native mode.Faster
KernelThe kernel supports XDP generic mode and Calico is configured to explicitly use it. This mode is rarely used and has no performance benefits over iptables raw mode below. To enable, see Felix Configuration.Fast
KernelIf none of the modes above are available, iptables raw mode is used.Fast

Defend against DoS attacks - 图1note

XDP modes require Linux kernel v4.16 or later.

How to

The high-level steps to defend against a DoS attack are:

Best practice

The following steps walk through the above required steps, assuming no prior configuration is in place. A best practice is to proactively do these steps before an attack (create the host endpoints, network policy, and global network set). In the event of a DoS attack, you can quickly respond by just adding the CIDRs that you want to deny-list to the global network set.

Step 1: Create host endpoints

First, you create the HostEndpoints corresponding to the network interfaces where you want to enforce DoS mitigation rules. In the following example, the HostEndpoint secures the interface named eth0 with IP 10.0.0.1 on node jasper.

  1. apiVersion: projectcalico.org/v3
  2. kind: HostEndpoint
  3. metadata:
  4.   name: production-host
  5.   labels:
  6.     apply-dos-mitigation: 'true'
  7. spec:
  8.   interfaceName: eth0
  9.   node: jasper
  10.   expectedIPs: ['10.0.0.1']

Step 2: Add CIDRs to deny-list in a global network set

Next, you create a Calico GlobalNetworkset, adding the CIDRs that you want to deny-list. In the following example, the global network set deny-lists the CIDR ranges 1.2.3.4/32 and 5.6.0.0/16:

  1. apiVersion: projectcalico.org/v3
  2. kind: GlobalNetworkSet
  3. metadata:
  4.   name: dos-mitigation
  5.   labels:
  6.     dos-deny-list: 'true'
  7. spec:
  8.   nets:
  9.     - '1.2.3.4/32'
  10.     - '5.6.0.0/16'

Step 3: Create deny incoming traffic global network policy

Finally, create a Calico GlobalNetworkPolicy adding the GlobalNetworkSet label (dos-deny-list in the previous step) as a selector to deny ingress traffic. To more quickly enforce the denial of forwarded traffic to the host at the packet level, use the doNotTrack and applyOnForward options.

  1. apiVersion: projectcalico.org/v3
  2. kind: GlobalNetworkPolicy
  3. metadata:
  4.   name: dos-mitigation
  5. spec:
  6.   selector: apply-dos-mitigation == 'true'
  7.   doNotTrack: true
  8.   applyOnForward: true
  9.   types:
  10.     - Ingress
  11.   ingress:
  12.     - action: Deny
  13.       source:
  14.         selector: dos-deny-list == 'true'

Additional resources