Conference:  Black Hat Asia 2023

Authors: Xiang Li

2023-05-12

Phoenix Domain is a general and novel attack that allows adversaries to maintain the revoked malicious domain continuously resolvable at scale, which enables an old, mitigated attack, Ghost Domain. Phoenix Domain has two variations and affects all mainstream DNS software and public DNS resolvers overall because it does not violate any DNS specifications and best security practices.The attack is made possible through systematically "reverse engineering" the cache operations of 8 DNS implementations, and new attack surfaces are revealed in the domain name delegation processes. We selected 41 well-known public DNS resolvers and proved that all surveyed DNS services are vulnerable to Phoenix Domain, including Google Public DNS and Cloudflare DNS. Extensive measurement studies were performed with 210k stable and distributed DNS recursive resolvers, and results show that even after one month from domain name revocation and cache expiration, more than 25% of recursive resolvers can still resolve it.The proposed attack provides an opportunity for adversaries to evade the security practices of malicious domain take-down. We have reported discovered vulnerabilities to all affected vendors and suggested 6 types of mitigation approaches to them. Currently, 7 DNS software providers and 15 resolver vendors, including BIND, Unbound, Google, and Cloudflare, have confirmed the vulnerabilities, and some of them are implementing and publishing mitigation patches according to our suggestions. In addition, 9 CVE numbers have been assigned. The study calls for standardization to address the issue of how to revoke domain names securely and maintain cache consistency.

Conference:  KubeCon + CloudNativeCon North America 2022

Authors: Peter Hunt, Markus Lehtonen

2022-10-27

The conference presentation discusses resource management in Kubernetes and the implementation of Quality of Service (QoS) classes to prioritize resource allocation for pods.

• Kubernetes is implementing QoS classes to prioritize resource allocation for pods
• The responsibility of balancing resources falls on the admin
• There is no automatic reconciliation for resource allocation when pods disappear
• Future work includes making explicit the Pod QoS class and implementing new types of resources

Conference:  KubeCon + CloudNativeCon Europe 2022

Authors: Jesse Suen, Qingkun Li

2022-05-20

TikTok manages its global edge clusters with Kubernetes and operates continuous delivery with Argo CD. The talk discusses the scalability challenges faced by Tiktok to manage edge services using Argo CD and how the Argo community plans to address them in future.

• TikTok operates a large network of Kubernetes edge clusters around the world, hosting apps such as Tiktok, live and gaming, using cache and traffic acceleration services offered at our edge clusters.
• The challenge arises when it comes to the deployment management of those edge services on hundreds of edge clusters.
• Argo CD is used to manage cluster applications on the edge.
• The deployment of all edge services follows the same pattern, with a large portion of common configurations and a small portion of cluster-specific configurations.
• The performance and scalability of using Argo CD to manage over 3000 applications across 100 global edge clusters is a challenge.
• The Argo community plans to address these challenges in the future.