Jingyun He
2009-Oct-17 20:35 UTC
[Xen-users] ip which is already being used can be taken by windows vps
Hello, I just noticed that the windows vps can take any IP that is already being used in the network, e.g. one other server is using 1.1.1.1, and another vps in the network just assign that IP, and activate it, then the ip 1.1.1.1 will connect to vps, and the server will lose connection. Do you have any suggestion to avoid this? Thanks. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
James Harper
2009-Oct-18 01:33 UTC
RE: [Xen-users] ip which is already being used can be taken by windowsvps
> > Hello, > I just noticed that the windows vps can take any IP that is already > being used in the network, > e.g. one other server is using 1.1.1.1, and another vps in the network > just assign that IP, and activate it, then the ip 1.1.1.1 will connect > to vps, and the server will lose connection. > > Do you have any suggestion to avoid this? >Some suggestions: 1. Make sure that anything that ever wants to talk to 1.1.1.1 uses SSL so that it can never be impersonated. Make sure that you pay attention if your ssh client ever complains that the key has changed. 2. Put each VM on a /30 network and route everything to it. It might be a pain to maintain but it greatly reduces the attack surface. 3. Use iptables to filter that port to make sure the source IP address is correct (remember to allow for DHCP queries if you use that - they will appear to come from 0.0.0.0 I think). 4. Install arpwatch (I think that''s what it''s called) that can notify if the relationship between a mac address and an IP address changes James _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Nathan Eisenberg
2009-Oct-18 07:42 UTC
RE: [Xen-users] ip which is already being used can be taken by windowsvps
> Some suggestions: > > 1. Make sure that anything that ever wants to talk to 1.1.1.1 uses SSL > so that it can never be impersonated. Make sure that you pay attention > if your ssh client ever complains that the key has changed. > 2. Put each VM on a /30 network and route everything to it. It might be > a pain to maintain but it greatly reduces the attack surface. > 3. Use iptables to filter that port to make sure the source IP address > is correct (remember to allow for DHCP queries if you use that - they > will appear to come from 0.0.0.0 I think). > 4. Install arpwatch (I think that''s what it''s called) that can notify > if > the relationship between a mac address and an IP address changes > > James >If you''re going to do #2, you may as well use /31s and save 2 IPs per host. Best Regards, Nathan Eisenberg _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
James Harper
2009-Oct-18 07:48 UTC
RE: [Xen-users] ip which is already being used can be taken bywindowsvps
> > > Some suggestions: > > > > 1. Make sure that anything that ever wants to talk to 1.1.1.1 usesSSL> > so that it can never be impersonated. Make sure that you payattention> > if your ssh client ever complains that the key has changed. > > 2. Put each VM on a /30 network and route everything to it. It mightbe> > a pain to maintain but it greatly reduces the attack surface. > > 3. Use iptables to filter that port to make sure the source IPaddress> > is correct (remember to allow for DHCP queries if you use that -they> > will appear to come from 0.0.0.0 I think). > > 4. Install arpwatch (I think that''s what it''s called) that cannotify> > if > > the relationship between a mac address and an IP address changes > > > > James > > > > If you''re going to do #2, you may as well use /31s and save 2 IPs perhost.>I''m sure I read somewhere, once upon a time, that Windows just didn''t work with a /31. Could have been on the OpenVPN mailing list or docs that I read it. I could also have imagined it :) If you are using public IP addresses then by all means, try and use as few as possible. If you are using private addresses though, I don''t think it''s worth the fuss. James _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Simon Hobson
2009-Oct-18 08:14 UTC
Re: [Xen-users] ip which is already being used can be taken by windows vps
Jingyun He wrote:>I just noticed that the windows vps can take any IP that is already >being used in the network, >e.g. one other server is using 1.1.1.1, and another vps in the network >just assign that IP, and activate it, then the ip 1.1.1.1 will connect >to vps, and the server will lose connection.Just to make the point here that no-one else has mentioned - this is no different under Xen than when running standalone machines. In general, the prevention (management systems) and mitigation techniques (eg ARP monitoring) are the same - but as others have pointed out, you have a couple more options (eg source IP filtering) with Xen guests which aren''t available on most ''real'' network switches. We had our office network go down on us a few weeks back when someone was playing with his new Windoze mobile phone - in particular the bit that turns it into an access point (connects to internet over GPRS, shares it via wireless). Trouble is that he was connected to the office wireless and it came up with the same IP address as our router. We''ve also had customers taken out when someone (without thinking or asking) set up a device on our public net on an address assigned to a customer - he hasn''t been allowed to forget it, and we now have ARP monitoring in place. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users