来自私有 GKE 集群上公共 IP 的可疑 ICMP 网络流量
在 vpc-native 集群上启用网络策略日志记录后,发现一些可疑的 ICMP 流量被阻止。
根据日志 json 有效负载,互联网 ICMP 流量以某种方式到达 Pod(包括那些未由任何服务或入口公开的 Pod)。下面的示例日志:
"src": {
"instance": "redacted_public_ip"
},
"node_name": "redacted_node_name",
"count": 1,
"disposition": "deny",
"dest": {
"workload_name": "redacted_workload_name",
"workload_kind": "ReplicaSet",
"pod_namespace": "redacted_pod_namespace",
"namespace": "redacted_namespace",
"pod_name": "redacted_pod_name"
},
"connection": {
"protocol": "icmp",
"dest_ip": "redacted_private_pod_ip",
"direction": "ingress",
"src_ip": "redacted_public_ip"
}
有多个与上面类似的条目,并且公共 IP 属于多个不同的组织并位于不同的国家/地区。调查此问题的下一步可能是什么?
After enabling network policy logging on a vpc-native cluster, it turned out that some suspicious ICMP traffic is blocked.
According to the log json payload, the Internet ICMP traffic is somehow reaching pods (including those which are not exposed by any service or ingress). Example log below:
"src": {
"instance": "redacted_public_ip"
},
"node_name": "redacted_node_name",
"count": 1,
"disposition": "deny",
"dest": {
"workload_name": "redacted_workload_name",
"workload_kind": "ReplicaSet",
"pod_namespace": "redacted_pod_namespace",
"namespace": "redacted_namespace",
"pod_name": "redacted_pod_name"
},
"connection": {
"protocol": "icmp",
"dest_ip": "redacted_private_pod_ip",
"direction": "ingress",
"src_ip": "redacted_public_ip"
}
There are multiple entries like the one above, and public IPs are owned by multiple different organisations and located in different countries. What might be the next step with investigating this issue?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
除非您确实需要,否则只需阻止 ICMP。 ICMP 有两种基本类型,一种用于路由,另一种用于乒乓消息。您不需要启用其中任何一个。
下一个提示是没有什么可调查的。公共互联网会不停地刺探每一个公共IP地址。否则,您将需要部署防火墙和阻止列表来阻止已知的不良行为者。
Simply block ICMP unless you really need it. There are two basic types of ICMP, one used for routing and the other for ping-pong messages. You do not need either one enabled.
The next tip is that there is nothing to investigate. The public Internet will poke and prod every public IP address non-stop. Otherwise, you will need to deploy a firewall and blocklists to block known bad actors.