Painless Docker - 2nd Edition

Denial-of-Service (DoS) Attacks

If a container is not properly constrained, it can monopolize system resources - such as CPU, memory, or process IDs (PIDs). When a malicious or buggy container consumes these resources aggressively, it starves legitimate containers and can potentially crash the entire host operating system. This is often referred to as the "Noisy Neighbor" effect or a resource exhaustion attack.

By default, Docker containers run with unlimited access to the host's resources. The Docker daemon does not impose quotas unless explicitly configured. An attacker can exploit this default behavior to launch a Denial-of-Service (DoS) attack.

Common Attack Vectors

1. The Fork Bomb (PID Exhaustion)

One of the most effective ways to crash a Docker host is a Fork Bomb. This script recursively defines a function that calls itself twice and runs in the background, which leads to an exponential growth of processes. Since containers share the host's Process ID (PID) table, a fork bomb inside a container can exhaust the host's limit of available PIDs (Linux allows a maximum number of processes defined by /proc/sys/kernel/pid_max).

# A classic bash fork bomb
:(){