Sherin George
2013-Jan-14 11:21 UTC
Xen bridge allows to sniff traffic destined to other domUs in same dom0
Hi Guys, I am working as syadmin for a hosting company. Recently one of our customers came to me saying that he can view traffic not destined to his VPS(domU) which are not broadcast. I created a test VPS(domU) in the hardware node(dom0) and found that what customer claimed may be correct. I did tcpdump in my tes VPS testvps.example.com and I could see traffic as customer explained. So I think my customer was true about what he said. I tried to access the website customer-website.net hosted in the customer VPS server1.customer-server.net(10.5.36.89). Then I logged into testvps.example.com & checked tcpdump. I found that traffic from my office IP 192.168.57.86 to server1.customer-website.net server is showing in testvps.example.com. =========================336630167 2230533262> 07:10:38.479684 IP 192.168.57.86.39811 > 10.5.36.89.http: . ack 8368 win 454 07:10:38.482157 IP 192.168.57.86.39811 > 10.5.36.89.http: P 1960:2456(496) ack 8368 win 454 07:10:38.520554 IP 192.168.57.86.54362 > 10.5.36.89.http: . ack 8093 win 408 07:10:38.522452 IP 192.168.57.86.54362 > 10.5.36.89.http: P 1493:1990(497) ack 8169 win 408 07:10:38.637627 IP 192.168.57.86.36133 > 10.5.36.89.http: . ack 9827 win 454 07:10:38.643413 IP 192.168.57.86.36133 > 10.5.36.89.http: . ack 11167 win 499 07:10:38.704186 IP 192.168.57.86.56264 > 10.5.36.89.http: . ack 7627 win 363 07:10:38.744250 IP 192.168.57.86.56264 > 10.5.36.89.http: . ack 7954 win 408 ========================= I was under the impression that domU(VPS) will get only broadcast traffic other than packets actually destined to them. Bridge is supposed to send packets to MAC address than broadcasting. So, this behavior is interesting, something that need to be investigated further and may be fixed if possible. Could anyone please provide any insight into what might be happening ? Note: I replaced actual IP addresses for privacy Thanks in advance. Sherin
Peter Viskup
2013-Jan-14 20:21 UTC
Re: Xen bridge allows to sniff traffic destined to other domUs in same dom0
On 01/14/2013 12:21 PM, Sherin George wrote:> Hi Guys, > > I am working as syadmin for a hosting company. > > Recently one of our customers came to me saying that he can view > traffic not destined to his VPS(domU) which are not broadcast. > > I created a test VPS(domU) in the hardware node(dom0) and found that > what customer claimed may be correct. > > I did tcpdump in my tes VPS testvps.example.com and I could see > traffic as customer explained. So I think my customer was true about > what he said. > > I tried to access the website customer-website.net hosted in the > customer VPS server1.customer-server.net(10.5.36.89). Then I logged > into testvps.example.com& checked tcpdump. I found that traffic from > my office IP 192.168.57.86 to server1.customer-website.net server is > showing in testvps.example.com. > > =========================> 336630167 2230533262> > 07:10:38.479684 IP 192.168.57.86.39811> 10.5.36.89.http: . ack 8368 win 454 > 07:10:38.482157 IP 192.168.57.86.39811> 10.5.36.89.http: P > 1960:2456(496) ack 8368 win 454 > 07:10:38.520554 IP 192.168.57.86.54362> 10.5.36.89.http: . ack 8093 win 408 > 07:10:38.522452 IP 192.168.57.86.54362> 10.5.36.89.http: P > 1493:1990(497) ack 8169 win 408 > 07:10:38.637627 IP 192.168.57.86.36133> 10.5.36.89.http: . ack 9827 win 454 > 07:10:38.643413 IP 192.168.57.86.36133> 10.5.36.89.http: . ack 11167 win 499 > 07:10:38.704186 IP 192.168.57.86.56264> 10.5.36.89.http: . ack 7627 win 363 > 07:10:38.744250 IP 192.168.57.86.56264> 10.5.36.89.http: . ack 7954 win 408 > =========================> > I was under the impression that domU(VPS) will get only broadcast > traffic other than packets actually destined to them. Bridge is > supposed to send packets to MAC address than broadcasting. So, this > behavior is interesting, something that need to be investigated > further and may be fixed if possible. > > Could anyone please provide any insight into what might be happening ? > > Note: I replaced actual IP addresses for privacy > > > Thanks in advance. > SherinHi Sherin, all that is just expected and it just shows that your bridge is working correctly. Once you are interested in reading about Linux bridging read some of these: - http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge - https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s2-networkscripts-interfaces_network-bridge.html - http://wiki.debian.org/BridgeNetworkConnections You didn''t mentioned what OS do you use for dom0, but I anticipate it is Linux. In that case the ebtables should help you to secure your network environment and restrict the packet flow only to the interfaces they are related to. Best regards, -- Peter Viskup
Sherin George
2013-Jan-15 03:16 UTC
Re: Xen bridge allows to sniff traffic destined to other domUs in same dom0
Hi Peter, Thank you so much :) -- Regards, Sherin On Tue, Jan 15, 2013 at 1:51 AM, Peter Viskup <skupko.sk@gmail.com> wrote:> On 01/14/2013 12:21 PM, Sherin George wrote: >> >> Hi Guys, >> >> I am working as syadmin for a hosting company. >> >> Recently one of our customers came to me saying that he can view >> traffic not destined to his VPS(domU) which are not broadcast. >> >> I created a test VPS(domU) in the hardware node(dom0) and found that >> what customer claimed may be correct. >> >> I did tcpdump in my tes VPS testvps.example.com and I could see >> traffic as customer explained. So I think my customer was true about >> what he said. >> >> I tried to access the website customer-website.net hosted in the >> customer VPS server1.customer-server.net(10.5.36.89). Then I logged >> into testvps.example.com& checked tcpdump. I found that traffic from >> >> my office IP 192.168.57.86 to server1.customer-website.net server is >> showing in testvps.example.com. >> >> =========================>> 336630167 2230533262> >> 07:10:38.479684 IP 192.168.57.86.39811> 10.5.36.89.http: . ack 8368 win >> 454 >> 07:10:38.482157 IP 192.168.57.86.39811> 10.5.36.89.http: P >> 1960:2456(496) ack 8368 win 454 >> 07:10:38.520554 IP 192.168.57.86.54362> 10.5.36.89.http: . ack 8093 win >> 408 >> 07:10:38.522452 IP 192.168.57.86.54362> 10.5.36.89.http: P >> 1493:1990(497) ack 8169 win 408 >> 07:10:38.637627 IP 192.168.57.86.36133> 10.5.36.89.http: . ack 9827 win >> 454 >> 07:10:38.643413 IP 192.168.57.86.36133> 10.5.36.89.http: . ack 11167 win >> 499 >> 07:10:38.704186 IP 192.168.57.86.56264> 10.5.36.89.http: . ack 7627 win >> 363 >> 07:10:38.744250 IP 192.168.57.86.56264> 10.5.36.89.http: . ack 7954 win >> 408 >> =========================>> >> I was under the impression that domU(VPS) will get only broadcast >> traffic other than packets actually destined to them. Bridge is >> supposed to send packets to MAC address than broadcasting. So, this >> behavior is interesting, something that need to be investigated >> further and may be fixed if possible. >> >> Could anyone please provide any insight into what might be happening ? >> >> Note: I replaced actual IP addresses for privacy >> >> >> Thanks in advance. >> Sherin > > > Hi Sherin, > all that is just expected and it just shows that your bridge is working > correctly. > Once you are interested in reading about Linux bridging read some of these: > - http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge > - > https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s2-networkscripts-interfaces_network-bridge.html > - http://wiki.debian.org/BridgeNetworkConnections > You didn''t mentioned what OS do you use for dom0, but I anticipate it is > Linux. > In that case the ebtables should help you to secure your network environment > and restrict the packet flow only to the interfaces they are related to. > > Best regards, > -- > Peter Viskup
Nick Couchman
2013-Jan-15 15:35 UTC
Re: Xen bridge allows to sniff traffic destined to other domUs in same dom0
>>> On 2013/01/14 at 13:21, Peter Viskup <skupko.sk@gmail.com> wrote: > On 01/14/2013 12:21 PM, Sherin George wrote: >> Hi Guys, >> >> I am working as syadmin for a hosting company. >> >> Recently one of our customers came to me saying that he can view >> traffic not destined to his VPS(domU) which are not broadcast. >> >> I created a test VPS(domU) in the hardware node(dom0) and found that >> what customer claimed may be correct. >> >> I did tcpdump in my tes VPS testvps.example.com and I could see >> traffic as customer explained. So I think my customer was true about >> what he said. >> >> I tried to access the website customer-website.net hosted in the >> customer VPS server1.customer-server.net(10.5.36.89). Then I logged >> into testvps.example.com& checked tcpdump. I found that traffic from >> my office IP 192.168.57.86 to server1.customer-website.net server is >> showing in testvps.example.com. >> >> =========================>> 336630167 2230533262> >> 07:10:38.479684 IP 192.168.57.86.39811> 10.5.36.89.http: . ack 8368 win 454 >> 07:10:38.482157 IP 192.168.57.86.39811> 10.5.36.89.http: P >> 1960:2456(496) ack 8368 win 454 >> 07:10:38.520554 IP 192.168.57.86.54362> 10.5.36.89.http: . ack 8093 win 408 >> 07:10:38.522452 IP 192.168.57.86.54362> 10.5.36.89.http: P >> 1493:1990(497) ack 8169 win 408 >> 07:10:38.637627 IP 192.168.57.86.36133> 10.5.36.89.http: . ack 9827 win 454 >> 07:10:38.643413 IP 192.168.57.86.36133> 10.5.36.89.http: . ack 11167 win 499 >> 07:10:38.704186 IP 192.168.57.86.56264> 10.5.36.89.http: . ack 7627 win 363 >> 07:10:38.744250 IP 192.168.57.86.56264> 10.5.36.89.http: . ack 7954 win 408 >> =========================>> >> I was under the impression that domU(VPS) will get only broadcast >> traffic other than packets actually destined to them. Bridge is >> supposed to send packets to MAC address than broadcasting. So, this >> behavior is interesting, something that need to be investigated >> further and may be fixed if possible. >> >> Could anyone please provide any insight into what might be happening ? >> >> Note: I replaced actual IP addresses for privacy >> >> >> Thanks in advance. >> Sherin > > Hi Sherin, > all that is just expected and it just shows that your bridge is working > correctly. > Once you are interested in reading about Linux bridging read some of these: > - http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge > - > https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/htm > l/Deployment_Guide/s2-networkscripts-interfaces_network-bridge.html > - http://wiki.debian.org/BridgeNetworkConnections > You didn''t mentioned what OS do you use for dom0, but I anticipate it is > Linux. > In that case the ebtables should help you to secure your network > environment and restrict the packet flow only to the interfaces they are > related to. >You could also look into setting up and using Open-vSwitch, instead of the built-in bridge. It should act more like a switch and isolate traffic. In addition, it provides a lot of other features that are useful in virtual environments and is fast become the default for many cloud hosting systems (XCP and XenServer, particularly). -Nick -------- This e-mail may contain confidential and privileged material for the sole use of the intended recipient. If this email is not intended for you, or you are not responsible for the delivery of this message to the intended recipient, please note that this message may contain SEAKR Engineering (SEAKR) Privileged/Proprietary Information. In such a case, you are strictly prohibited from downloading, photocopying, distributing or otherwise using this message, its contents or attachments in any way. If you have received this message in error, please notify us immediately by replying to this e-mail and delete the message from your mailbox. Information contained in this message that does not relate to the business of SEAKR is neither endorsed by nor attributable to SEAKR.