How Unikernels Can Better Defend against DDoS Attacks

On the episode of The New Stack Makers podcast, Dell EMC CTO Idit Levine, an EMC chief technology officer at the cloud management division and office of the CTO, discussed how unikernels are poised to offer all of the developer flexibility afforded to containers, while striving for better security and integrations with many of today’s top container platforms. She spoke with SolarWinds Cloud Technology Lead Lee Calcote at KubeCon 2016:
How Unikernels Can Better Defend against DDoS Attacks
At KubeCon earlier this month, Levine and the rest of the team behind the open source unikernel compilation and management platform, Unik announced new features for Unik designed to bolster both unikernel adoption and community involvement with the project moving forward. These changes included Kubernetes integration, with users having the ability to run Unik side-by-side with Kubernetes, and adding support for the Google Cloud Platform after continued requests to do so from the community.
Above all, unikernels and projects such as Uniq cannot evolve and improve without community involvement. “Unik is open source. We’re looking for pull requests. Go and help us make it better,” Levine said.
The discussion also covered the security benefits of unikernels, riffing from the recent Dyn-centered denial of service attack that blocked access to many of the top websites last month. Levine penned a post that argued if the Mirai botnet had encountered unikernels-based IoT devices, the attack simply would not have been possible. “In the article, we go over all the popular ways (to DDoS) such as shell injection, directory traversal, and so on, trying to understand what would happen if unikernels were running there. It’s not possible, that attack would not have happened,” said Levine.
“The beauty of unikernels is you’re only running one process. Even if one can somehow get to the unikernel, it does not have a shell to use, so one cannot execute any shell script. The beauty of it is you cannot actually run a dangerous extra binary, which is great,” said Levine.
Cisco is a sponsor of The New Stack.