How Unikernels Can Better Defend against DDoS Attacks

The New Stack · Intermediate ·📰 AI News & Updates ·9y ago

Key Takeaways

The video discusses how unikernels can provide better security than containers by reducing the attack surface and eliminating the need for a guest OS, making it difficult for botnets to inject malicious code and defend against DDoS attacks. Unikernels can be integrated with other tools and frameworks such as Kubernetes and Docker to provide additional features and benefits.

Full Transcript

[Music] thanks to cisco for sponsoring our day of podcasting at Kubek on we had some great conversations thanks again to cisco you can learn more about cisco and their micro services platform at mantle do that's ma n TL dot IO hi this is lee calcio with the new stack i'm here at cloud- con / cube con in in seattle washington sunny seattle washington i'm joined today by Lavine of CTO at emc welcome ed hey thank you for having me yeah it's good to so we've chatted before it's good to catch up with you again I think I guess you didn't you didn't take your lesson from the last time that I tried to hammer you with questions no I'm still here because that was out it Oh Cloud Foundry right yeah dr. Nick was with us turns out dr. Nick had a lot more questions than I did yeah yeah he's got a great personality great guy but you know kind of part of the theme today at you know cloud native con q con is is knew Kubra Nettie's right I know we talked about the open source project that you lead and drive unique which is if I can kind of butcher that it's well maybe to put it shortly sort of let's get you cannot ease so the same kind of packaging that and portability that dr. provides for containers is kind of unique is bringing four unique kernels exactly is that about how you would put it okay yeah exactly what dr. is doing for container which wanting to do for unique are no of course there is a little bit different because in unit Colonel it's a vm so you're basically involving actually a compiled drivers a song so you need to know a little bit more where you're actually running so it's a little bit different than that expect but basically is to make that easy to run so no it's exactly it's easy aap ideas so if we follow that analogy down the rabbit hole a little bit further so containers are well anymore bringing a fair bit of security to the table I'm there they're portable there are small and footprint and uni kernel is going to take that you know each of those aspects a little bit of a step further is yeah all right so i will argue that the container is not that secure and i think that what I Anakin was trying to attack is exactly that I think it's a different approach of trying to wrap the same application but it's truly get a little bit more so it's much more stream the performance will be much better because there's no a lot of layer it's basically getting rid of the lawyer of the guest guest OS and and and and in in terms of security the surface of attack is much smaller so it's really really secure so it's much more secure so trimming the fat a little bit so it's a lean project exactly nice well speaking of security and just how unique kernels can reduce that attack service the you know we as an industry i had sort of an upset what late last week around some of our favorite websites being down right you know i just it with that example in mind do do unit kernels can I help change that story or you know to the extent that those are used okay so actually funny enough I just wrote a blog with my colleague Eva and and we just basically address exactly that problem so we analyze what happened on that Friday and we're trying to understand what will happen if those devices the bot of the network the botnet basically will be running unicameral if that Iraq will be still possible and basically in the in the article we'll be doing we go over all the popular exposit way like you know here's their shell injection aim now actually do a traverse and so on and we're basically trying to understand what will happen if unica will be running there and in the end of that block what we're saying is that basically it's not possible right i mean if unica will run this attack will not be possible i see so when you mentioned you mentioned a couple of like specific examples where unit kernels are helping that so they're directory traversal kind of being one this notion that you know unique kernels like application containers in our meant you know to perform or intended to perform sort of a singular process and to the extent that that's happening you know something some folks will open up ssh and include that as a process inside their container not necessarily an intended recommended practice does is that you know the same line of thinking with uni Colonel desert yes the beauty of food in Canada is that you're running on your mind process if you're running my process you cannot just you know you cannot use something like SS 80 to run some other binary you're running only the binary that's running in your any carnal so even a me someone can somehow manage to go to the unique oh no it doesn't have a shell to use so we will not be able to execute any shell script and it can't actually also execute any new processes because again it's not going to work it's just going to wear out so the beauty of it is that you can cannot actually run no and you you know a you know a dangerous extra binary which is great because that's kind of like make sure that that will not be able to to run yours you know any dangerous script so it's quite a lot of sense here we may need to coin a new term here just I've made the mistake of speaking on the topic a couple of times and not well articulating kind of the difference between an infrastructure container or like a system container versus an application container and kind of now what we're taking it another step further but I'm going to attempt that now and see if this resonates with you just you know there are infrastructure containers kind of system containers that are you know essentially like a lifted and shifted vm a kind of an entire operating system with you know it's intended to manage and run multiple processes if you're using application containers you know ideally kind of one process and then as you just articulated can moving into uni kernels is would you say you say the same thing just a singular process the beauty of Eureka is the reason the reason we can actually stream a lot of the operating system component is because we basically decided a decision and the decision is that we can run only one process you can run on the run process on one user so actually all the terms of like permission check or rings are not relevant because there's nothing to protect a few are the only one who's running and you know so it's kind of like safe in that terms basically it's more secure than container because in container for instance in the application container you still can run more more than one processes you can drink it or somehow you cannot do that in container which make it went very very safe a saurian unique and it's making very very safe now very interesting so so we are here at q con which is you know all about Cooper Nettie's and there is just you know I understand you guys have announcements kind of in that space yeah so I'm so when you look at the ecosystem we try to understand our you know how can we how people are using to today in application what are what are the two that using a cupola this is the most popular one right now cloud native app and a cluster management and therefore we said well unique is great and it can create you to any kind of this will be very very good but the problem is that there is a lot of benefit that communities can put on top of it like for instance the states and and the ability of define how many as you want and it's always going to be the number and the networking and so on so we said instead of reinvent the wheel and actually do it ourselves but we decided is basically integrated with Cuban Ellis so it's kind of like there is a correct akula I call a thing with is because basically what we did we you make the ability that you'll be able to run container in Cuba on its side by side ray unicorno and the beautiful unique kernel is that you reckon is basically real kind of like on demand because when you're using Cuban Alice you basically have the notes below the container so if you want to actually scale you have a lot of container and you want it scale if you need more not you actually need to spin up another machine with unical it's basically on the man you don't need to take care of the lower level right because it's on demand if you want another application it's basically a vm so it's directly on the ipod visor or whatever you run it and therefore it shouldn't be any problem so we integrated with itself basically we can continue running the port and replicas and and so on your regular application you just need to decide it if you want to put it in container or in uni kernel and again it's your skates paste right your application in security probably will go with you Nicola makes a lot of sense so just for the geeks at heart out there like myself you know more about the specifics of the integration with with kerber Nettie's secure benetti's too well historically has been able to run docker as a runtime engine and then rocket support has been kind of added in there and is it right for folks to think of kind of you know unique kernels as being another question so we actually that it done exactly that we basically running our time but but more than this when when we try to deploy it we discover that a lot of the deployment like for instance of the dashboard is basically docker container so we said well you know actually we want to run it side by side so we basically created another a conduit comox which basically support docker and your nickel a side-by-side so so you basically can run them side by side you can run only unique unique errinel you can run only doctor container so it's basically all the option and yeah basically is a runtime back in okay okay very good well and so it's no secret that you know Cooper Nettie's and its original NES are you know by and large from practices out of Google and a lot of the code was initially i'm coming from google there's been some statistics that were shown one of the keynotes earlier about just you know the plethora of you know the vast and growing ecosystem into your point earlier how quickly that momentum is gaining behind this particular well container orchestrators what i like to refer to i know some people say cluster manager but will will agree to disagree okay the i guess the question that i had was you know in and around the notion that that Google is kind of brought this forward I understand too that there's now an announcement that you sort of a second announcement that you guys are making as a project with respect to Google gcp yeah exactly so until now when we were running unique and basically support quite a lot of stuff cloud so we supported aw guys and we support a recent if you want to run it in a datacenter and footer which is the new version of the sea center of vmware we supported locally on vm virtualbox and so on but we never support google cloud and i would make you know basically we've been asked about it quite a lot so we decided to add a support and we just announced yesterday that basically today you can go to unique and just you know run it on and google cloud that me to work that's exciting that's right yeah [Music] fantastic well do you we don't I guess I just I continue to think about and rap my rap my little pea-brain around the size and that the really the small size of unique animals themselves and begin to think about where it is that you know this really gains traction with with different use cases and different you know different types of developers and things that they're trying to accomplish where are you finding that this resonates yes I so specifically I've been reached by a lot of the NFU words or network function virtualization a lot of telco companies and and and the use case there is basically let's do a several s kind of like company integration with unicameral so today when you're running several s usually using container and the weights working you reuse in container because the boot time it's kind of like slow with unicameral it's actually better because it's a boring faster and it's also very secure so that's why you can actually put a function pairing unicameral and that's that's and that's eating up very nicely in then a few words a lot of company yeah really into this model of oh I need to do it the RM I don't know at the end a server so i will put up it a unique handle every time that someone asks for the question I will answer it and then I with this point so so that's going that use case that been asked a lot that's very interesting yeah no I'm and it sort of reminds me of open whisk as a project to sort of facilitate the you know the use of service or rather service let's use cases a so we're going so we looked at opens open which we might going to work on this we still kind of like debating but we are going to plan planning to open source another project which is basically going to do exactly that basically it's a says basically in a several s selfless implementation with the back end for container but also for for unicorn that's where people can choose to probably open source something soon okay yeah that makes so stepping back and maybe just for our listeners as people have come to understand kind of server lists as a as a new thing and kind of how that how that functions and works maybe you could help by comparing and contrasting or or helping people understand how unique kernel is either like it's appropriate to think of unique kernels and servlets kind of in the same context or you know maybe that's appropriate but not necessarily always appropriate or you know how do you yeah so am so the idea what's our lesson I'm sure everybody knows it's the idea that I don't need a server that will be there and serve my API all the time because I just need to do it if someone actually asked for it and therefore I basically can you know there is no VMs running on that you know there was no instances running on their own my infrastructure when I don't need it so in terms of unique a unique islands basically it's it's a process-based single single process various application right so you can put you can put it online and it can be there all the time but because it's really really footpad so basically don't have to and the beauty of it is that you can actually use the service architecture and pop it up when you need and then destroy it so I feel that damn it can it's it's work very well together with the server less you can walk also a service pool like I mean it can be there all the time unicon oh but but I felt that that the feature of it which is foot bhutan quick boot time probably work very very nicely with the circulus yeah that makes a lot of sense i mean just it's almost back to a kind of our original one of our original topics was just you know a lot of the same things that benefits you get from containers just into an advanced degree so i can see how unique kernels fit right into that server this world so well a deed we've we are mostly through q con um it's been great to chat with you again you know this time I got a couple of questions and we'll i'll have to jab at dr. nick later for that but thanks so much for being on the show with me it's been great to have you my sim thanks so much can i also just mentioned that please help us make it better I mean unique is an open source I don't know get up of EMC advanced I'll go ahead help us make it better we really were looking for full quest and and work as a community and and yeah like go and help us make it better more the better more the merrier yeah very good thank you so much to do but thanks to Cisco for sponsoring our day of podcasting at Kubek on we had some great conversations thanks again to Cisco you can learn more about cisco and their micro services platform at mantle do that's ma n TL dot io [Music]

Original Description

The rise of serverless computing has made many telecommunications companies reconsider not only how they configure their stack and networks, but how to best deploy their workloads in a secure environment. On today’s episode of The New Stack Makers, Dell EMC CTO Idit Levine spoke with SolarWinds Cloud Technology Lead Lee Calcote at KubeCon 2016 to discuss how unikernels are poised to offer all of the developer flexibility afforded to containers, while striving for better security and integrations with many of today’s top container platforms. Listen on SoundCloud: https://soundcloud.com/thenewstackmakers/unikernels-better-defend-against-ddos
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from The New Stack · The New Stack · 2 of 60

1 What's Next for the Cloud Foundry Foundation in 2017 with Executive Director Abby Kearns
What's Next for the Cloud Foundry Foundation in 2017 with Executive Director Abby Kearns
The New Stack
How Unikernels Can Better Defend against DDoS Attacks
How Unikernels Can Better Defend against DDoS Attacks
The New Stack
3 Weaveworks is Bringing Horizontal Scaling to Prometheus
Weaveworks is Bringing Horizontal Scaling to Prometheus
The New Stack
4 TNS Analysts Thanksgiving Special: The Evolution of Kubernetes and the Container Ecosystem
TNS Analysts Thanksgiving Special: The Evolution of Kubernetes and the Container Ecosystem
The New Stack
5 How Rancher Labs is Seeing Kubernetes Put to Work in Production
How Rancher Labs is Seeing Kubernetes Put to Work in Production
The New Stack
6 SAP Tests Kubernetes for Cloud-Native Enterprise Software Deployments
SAP Tests Kubernetes for Cloud-Native Enterprise Software Deployments
The New Stack
7 Event Marketing for Today's Developer Evangelists and Community Managers
Event Marketing for Today's Developer Evangelists and Community Managers
The New Stack
8 NodeSource Introduces Certified Modules to Improve Node.js Security
NodeSource Introduces Certified Modules to Improve Node.js Security
The New Stack
9 How Lightstep is Illuminating the Case for Distributed Tracing
How Lightstep is Illuminating the Case for Distributed Tracing
The New Stack
10 How OpenStack Aims to be More Inclusive without being Exclusive
How OpenStack Aims to be More Inclusive without being Exclusive
The New Stack
11 How Shuttlecloud Saves Time and Money by Monitoring with Prometheus
How Shuttlecloud Saves Time and Money by Monitoring with Prometheus
The New Stack
12 Creating Analytics-Driven Solutions for Operational Visibility
Creating Analytics-Driven Solutions for Operational Visibility
The New Stack
13 Understanding the Application Pattern for Effective Monitoring
Understanding the Application Pattern for Effective Monitoring
The New Stack
14 Building On Docker's Native Monitoring Functionality
Building On Docker's Native Monitoring Functionality
The New Stack
15 The Importance of Having Visibility Into Containers
The Importance of Having Visibility Into Containers
The New Stack
16 How Getting Your Project in the CNCF Just Got Easier
How Getting Your Project in the CNCF Just Got Easier
The New Stack
17 Tectonic Summit Pancake Breakfast: How to Sell Kubernetes to the Hypervisor-Minded
Tectonic Summit Pancake Breakfast: How to Sell Kubernetes to the Hypervisor-Minded
The New Stack
18 The Buzz at Tectonic Summit 2016 in New York City
The Buzz at Tectonic Summit 2016 in New York City
The New Stack
19 Bringing Clarity to the Future of Node.js Modules
Bringing Clarity to the Future of Node.js Modules
The New Stack
20 How FluentD Can Help Monitor Microservice Architectures Through Unified Logging
How FluentD Can Help Monitor Microservice Architectures Through Unified Logging
The New Stack
21 Reshaping Front End Development with Warehouse.ai
Reshaping Front End Development with Warehouse.ai
The New Stack
22 2016 Year End Wrap-Up: Discussing Docker, OpenStack, and Open Source
2016 Year End Wrap-Up: Discussing Docker, OpenStack, and Open Source
The New Stack
23 Here's Why You Should Build a Robot Using Node.JS: Because You Can
Here's Why You Should Build a Robot Using Node.JS: Because You Can
The New Stack
24 How the Node.js Foundation is Utilizing Participatory Governance Models
How the Node.js Foundation is Utilizing Participatory Governance Models
The New Stack
25 Set Up an MongoDB Replica Set in Less Than an Hour Using Bitnami Packages
Set Up an MongoDB Replica Set in Less Than an Hour Using Bitnami Packages
The New Stack
26 Determining Who Bears the Burden of Ensuring NPM Module Security
Determining Who Bears the Burden of Ensuring NPM Module Security
The New Stack
27 How Intel Snap uses Telemetry and Kubernetes to Drive Enterprise Efficiency
How Intel Snap uses Telemetry and Kubernetes to Drive Enterprise Efficiency
The New Stack
28 How the NFL Scored a Touchdown with its Open Source React Framework Wildcat
How the NFL Scored a Touchdown with its Open Source React Framework Wildcat
The New Stack
29 Aporeto CEO Dimitri Stiliadis: When it Comes to Security, Context is King
Aporeto CEO Dimitri Stiliadis: When it Comes to Security, Context is King
The New Stack
30 The Buzz at Node.JS Interactive
The Buzz at Node.JS Interactive
The New Stack
31 Why Going Serverless Doesn't Mean 'No Ops'
Why Going Serverless Doesn't Mean 'No Ops'
The New Stack
32 How Node.js is Transforming Today's Enterprises
How Node.js is Transforming Today's Enterprises
The New Stack
33 JJ Asghar Interview
JJ Asghar Interview
The New Stack
34 How Capital One is Using APIs to Streamline Auto Financing
How Capital One is Using APIs to Streamline Auto Financing
The New Stack
35 SXSW 2017: How Machine Learning Differs From Regular Programming
SXSW 2017: How Machine Learning Differs From Regular Programming
The New Stack
36 SXSW 2017: Data-Driven Applications with Capital One DevExchange's Hydrograph
SXSW 2017: Data-Driven Applications with Capital One DevExchange's Hydrograph
The New Stack
37 SXSW 2017: How Good Engineers Make Bad Business Decisions
SXSW 2017: How Good Engineers Make Bad Business Decisions
The New Stack
38 CloudNativeCon & KubeCon EU Pancake Breakfast 2017: Kubernetes and the Multi-Cloud
CloudNativeCon & KubeCon EU Pancake Breakfast 2017: Kubernetes and the Multi-Cloud
The New Stack
39 CNCF Executive Director Dan Kohn: What's Next for CNCF in 2017
CNCF Executive Director Dan Kohn: What's Next for CNCF in 2017
The New Stack
40 Exploring the Latest Container Runtime Projects in the CNCF
Exploring the Latest Container Runtime Projects in the CNCF
The New Stack
41 Exploring the Future of the Kubernetes Ecosystem
Exploring the Future of the Kubernetes Ecosystem
The New Stack
42 Kubernetes and Continuous Deployment
Kubernetes and Continuous Deployment
The New Stack
43 Kris Nova of Deis at CouldNativecon/Kubecon in Berlin
Kris Nova of Deis at CouldNativecon/Kubecon in Berlin
The New Stack
44 Docker's Quest for Simplicity with the Evolution of Containerd
Docker's Quest for Simplicity with the Evolution of Containerd
The New Stack
45 Developers First: The Cloud Foundry Service Broker API and Kubernetes
Developers First: The Cloud Foundry Service Broker API and Kubernetes
The New Stack
46 Mapping the Future of CoreOS's rkt in the CNCF
Mapping the Future of CoreOS's rkt in the CNCF
The New Stack
47 Red Hat and Dell EMC: Two Perspectives from DockerCon
Red Hat and Dell EMC: Two Perspectives from DockerCon
The New Stack
48 Capital One Opened its APIs to Third-Party Developers — Here’s What They Learned
Capital One Opened its APIs to Third-Party Developers — Here’s What They Learned
The New Stack
49 SUSE Joins the CNCF, Brings Kubernetes to OpenStack Cloud 7
SUSE Joins the CNCF, Brings Kubernetes to OpenStack Cloud 7
The New Stack
50 How Capital One Brings Open Source To The  Banking Industry
How Capital One Brings Open Source To The Banking Industry
The New Stack
51 OSCON Is Coming Back To Portland, A Show Wrapup With Co-Chair Kelsey Hightower
OSCON Is Coming Back To Portland, A Show Wrapup With Co-Chair Kelsey Hightower
The New Stack
52 Dev Or Ops Doesn’t Matter, You Need Observability
Dev Or Ops Doesn’t Matter, You Need Observability
The New Stack
53 Taking The Next Steps In Developing An Open Source Culture
Taking The Next Steps In Developing An Open Source Culture
The New Stack
54 SXSW 2017: How Capital One Became Technology-First With Open Source
SXSW 2017: How Capital One Became Technology-First With Open Source
The New Stack
55 Apcera   Old Apps Spanning New Clouds
Apcera Old Apps Spanning New Clouds
The New Stack
56 Provenance: The Peace of Mind Chef Habitat Seeks to Deliver
Provenance: The Peace of Mind Chef Habitat Seeks to Deliver
The New Stack
57 InSpec: Human Readable, Automated Compliance
InSpec: Human Readable, Automated Compliance
The New Stack
58 The Evolution of SAP HANA Express
The Evolution of SAP HANA Express
The New Stack
59 Women Engineers Who Inspire And Never Give Up
Women Engineers Who Inspire And Never Give Up
The New Stack
60 Three Perspectives on the Evolution of Container Security
Three Perspectives on the Evolution of Container Security
The New Stack

Unikernels can provide better security than containers by reducing the attack surface and eliminating the need for a guest OS, making it difficult for botnets to inject malicious code and defend against DDoS attacks. Unikernels can be integrated with other tools and frameworks to provide additional features and benefits. This video discusses the benefits and use cases of unikernels in defending against DDoS attacks and improving security posture.

Key Takeaways
  1. Run a singular process to limit access to the operating system
  2. Integrate unikernels with Kubernetes and Docker
  3. Use UnikVM to run containers on demand
  4. Scale by spinning up another machine
  5. Use unikernels for network function virtualization and serverless architecture
💡 Unikernels can provide quick boot times and offer benefits similar to containers but at an advanced degree, making them a promising solution for defending against DDoS attacks and improving security posture.

Related Reads

📰
AI Theatre: The Gap Between Talking About AI and Actually Using It
Learn to identify the gap between discussing AI and actual implementation, and why it matters for professionals
Medium · Cybersecurity
📰
How to Structure Content for AI-First Indexing: 7 Rules That Get You Cited
Learn to structure content for AI-first indexing to increase citation chances, as Google AI Overviews now appear in 47% of US search results
Medium · AI
📰
The Last Premium: What Stays Expensive When Thinking Gets Free
Discover what stays expensive when AI commoditizes human thinking and how it impacts various industries
Medium · Data Science
📰
Microsoft said the patches would get bigger. I measured how much bigger.
Measure the impact of Microsoft's patches on Windows updates to understand the growth in size due to AI-powered vulnerability discovery
Dev.to · Erik Rekola
Up next
PLATO Exoplanet Hunter Launch 2026 Searching for New Earths in a Warming World
Tech Folk Insights
Watch →