Hello, I have xen node, it has a few VPSes, it used bridge network mode, and we noticed that if one vps is restarted or a new vps is started, the bridge will send all traffic to all interface during a few seconds, and I did run a sniff program in one vps, it successful restrived some password with these traffic. Any solution? Thanks. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 18 Jun 2010, at 14:51, Jingyun He wrote:> Hello, > I have xen node, it has a few VPSes, it used bridge network mode, and > we noticed that if one vps is restarted or a new vps is started, the > bridge will send all traffic to all interface during a few seconds, > and I did run a sniff program in one vps, it successful restrived some > password with these traffic. > > Any solution?The above situation also occurs with physical switches. When the topology changes or someone floods the switch with lots of mac- addresses it temporarily runs in hub-mode forwarding everything. A switch is a device for enhancing performance, not security. The only solution is not to send passwords in clear text (which is a good idea in any case). Thomas. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hello, I suggest you to use *always* routing with VPS hosting. First reason: Routing only sends packages to the destination host, not to all hosts. Second: Routing is faster and easier to filter with iptables. Only disadvantage: You cant route broadcasts across multiple VMs, but you won''t want that anyway, because this is only for LAN situation and your VPS may rather consider themselves as part of the internet, not part of a LAN. But this does mean that you need to change your whole network setup: - Switch the vif-script to a routing one, especially with firewalling and static mac addresses (to prevent ARP-based attacks) - Setup iptables in the Dom0 to disallow ARP-, MAC- or IP-Spoofing and to deny ICMP redirect packages (and probably some other ICMPs, too). You can secure a bridge, too, but this is harder and not as efficient as routing. Regards, Felix Kuperjans Am 18.06.2010 14:51, schrieb Jingyun He:> Hello, > I have xen node, it has a few VPSes, it used bridge network mode, and > we noticed that if one vps is restarted or a new vps is started, the > bridge will send all traffic to all interface during a few seconds, > and I did run a sniff program in one vps, it successful restrived some > password with these traffic. > > Any solution? > > Thanks. > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users > >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
________________________________ From: xen-users-bounces@lists.xensource.com on behalf of Thomas Ronner Sent: Fri 18/06/2010 14:02 To: xen-users Subject: Re: [Xen-users] traffic sniff problem On 18 Jun 2010, at 14:51, Jingyun He wrote:> Hello, > I have xen node, it has a few VPSes, it used bridge network mode, and > we noticed that if one vps is restarted or a new vps is started, the > bridge will send all traffic to all interface during a few seconds, > and I did run a sniff program in one vps, it successful restrived some > password with these traffic. > > Any solution?The above situation also occurs with physical switches. When the topology changes or someone floods the switch with lots of mac- addresses it temporarily runs in hub-mode forwarding everything. A switch is a device for enhancing performance, not security. The only solution is not to send passwords in clear text (which is a good idea in any case). Thomas. _______________________________________________ Can you not use arptables to prevent the above happening? _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Is securing a bridge not just a matter of using ebtables to say that all traffic going out vi ana interface must be destined for a paticular MAC address? ________________________________ From: xen-users-bounces@lists.xensource.com on behalf of Felix Kuperjans Sent: Fri 18/06/2010 14:05 To: xen-users@lists.xensource.com Subject: Re: [Xen-users] traffic sniff problem Hello, I suggest you to use *always* routing with VPS hosting. First reason: Routing only sends packages to the destination host, not to all hosts. Second: Routing is faster and easier to filter with iptables. Only disadvantage: You cant route broadcasts across multiple VMs, but you won''t want that anyway, because this is only for LAN situation and your VPS may rather consider themselves as part of the internet, not part of a LAN. But this does mean that you need to change your whole network setup: - Switch the vif-script to a routing one, especially with firewalling and static mac addresses (to prevent ARP-based attacks) - Setup iptables in the Dom0 to disallow ARP-, MAC- or IP-Spoofing and to deny ICMP redirect packages (and probably some other ICMPs, too). You can secure a bridge, too, but this is harder and not as efficient as routing. Regards, Felix Kuperjans Am 18.06.2010 14:51, schrieb Jingyun He:> Hello, > I have xen node, it has a few VPSes, it used bridge network mode, and > we noticed that if one vps is restarted or a new vps is started, the > bridge will send all traffic to all interface during a few seconds, > and I did run a sniff program in one vps, it successful restrived some > password with these traffic. > > Any solution? > > Thanks. > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users > >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Don''t forget incoming ones. Of course this basically works, but I think the method is not as good: Filtering a bridge is: Send the traffic everywhere, but drop it with iptables/ebtables anywhere, where it should not go. This leaves you with a 90% or more drop rate (performance issue). Routing is: Send the the traffic where it should go, and control with iptables, that it really only goes there and no ip spoofing is happening. As long as no one is doing something evil, you wont have any dropped packages (and much less invocations of your iptables chains). Both is possible, and none is secure by default, but I personally think that routing is better for servers, bridging better for LANs (because of broadcasts / DHCP). Am 18.06.2010 15:14, schrieb Jonathan Tripathy:> Is securing a bridge not just a matter of using ebtables to say that > all traffic going out vi ana interface must be destined for a > paticular MAC address? > > > ------------------------------------------------------------------------ > *From:* xen-users-bounces@lists.xensource.com on behalf of Felix Kuperjans > *Sent:* Fri 18/06/2010 14:05 > *To:* xen-users@lists.xensource.com > *Subject:* Re: [Xen-users] traffic sniff problem > > Hello, > > I suggest you to use *always* routing with VPS hosting. > > First reason: > Routing only sends packages to the destination host, not to all hosts. > > Second: > Routing is faster and easier to filter with iptables. > > Only disadvantage: > You cant route broadcasts across multiple VMs, but you won''t want that > anyway, because this is only for LAN situation and your VPS may rather > consider themselves as part of the internet, not part of a LAN. > > But this does mean that you need to change your whole network setup: > - Switch the vif-script to a routing one, especially with firewalling > and static mac addresses (to prevent ARP-based attacks) > - Setup iptables in the Dom0 to disallow ARP-, MAC- or IP-Spoofing and > to deny ICMP redirect packages (and probably some other ICMPs, too). > > You can secure a bridge, too, but this is harder and not as efficient as > routing. > > Regards, > Felix Kuperjans > > Am 18.06.2010 14:51, schrieb Jingyun He: > > Hello, > > I have xen node, it has a few VPSes, it used bridge network mode, and > > we noticed that if one vps is restarted or a new vps is started, the > > bridge will send all traffic to all interface during a few seconds, > > and I did run a sniff program in one vps, it successful restrived some > > password with these traffic. > > > > Any solution? > > > > Thanks. > > > > _______________________________________________ > > Xen-users mailing list > > Xen-users@lists.xensource.com > > http://lists.xensource.com/xen-users > > > > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 18 Jun 2010, at 15:07, Jonathan Tripathy wrote:> Can you not use arptables to prevent the above happening? >Not really. ARP happens in layer 3, while the flooding of the switch or bridge happens on layer 2. I think you could filter with ebtables though. Someone please correct me if I''m wrong (I''m not familiar with arptables and ebtables). Thomas. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
________________________________ From: xen-users-bounces@lists.xensource.com on behalf of Thomas Ronner Sent: Fri 18/06/2010 14:22 To: xen-users Subject: Re: [Xen-users] traffic sniff problem On 18 Jun 2010, at 15:07, Jonathan Tripathy wrote:> Can you not use arptables to prevent the above happening? >Not really. ARP happens in layer 3, while the flooding of the switch or bridge happens on layer 2. I think you could filter with ebtables though. Someone please correct me if I''m wrong (I''m not familiar with arptables and ebtables). Thomas. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users ----------------------------------------------------------------------------- Hi Thomas, You are correct. I meant to say ebtables, not arptables :) Thanks Jonathan _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi I''m not sure if I''ve got the syntax correct, however I think you would add something like this to your vif script: ebtables -I FORWARD -o $(vif) -d $(mac) -j ACCEPT Of course you would have to have a default police of DROP first: ebtables -P FORWARD DROP Please someone correct me if i''m wrong Thanks ________________________________ From: xen-users-bounces@lists.xensource.com on behalf of Jingyun He Sent: Fri 18/06/2010 13:51 To: xen-users@lists.xensource.com Subject: [Xen-users] traffic sniff problem Hello, I have xen node, it has a few VPSes, it used bridge network mode, and we noticed that if one vps is restarted or a new vps is started, the bridge will send all traffic to all interface during a few seconds, and I did run a sniff program in one vps, it successful restrived some password with these traffic. Any solution? Thanks. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Oh and of course the other way round as well: ebtables -I FORWARD -i $(vif) -d $(mac) -j ACCEPT ________________________________ From: xen-users-bounces@lists.xensource.com on behalf of Jonathan Tripathy Sent: Fri 18/06/2010 14:39 To: Jingyun He; xen-users@lists.xensource.com Subject: RE: [Xen-users] traffic sniff problem Hi I''m not sure if I''ve got the syntax correct, however I think you would add something like this to your vif script: ebtables -I FORWARD -o $(vif) -d $(mac) -j ACCEPT Of course you would have to have a default police of DROP first: ebtables -P FORWARD DROP Please someone correct me if i''m wrong Thanks ________________________________ From: xen-users-bounces@lists.xensource.com on behalf of Jingyun He Sent: Fri 18/06/2010 13:51 To: xen-users@lists.xensource.com Subject: [Xen-users] traffic sniff problem Hello, I have xen node, it has a few VPSes, it used bridge network mode, and we noticed that if one vps is restarted or a new vps is started, the bridge will send all traffic to all interface during a few seconds, and I did run a sniff program in one vps, it successful restrived some password with these traffic. Any solution? Thanks. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Opps.. I meant this for the rule directly below: ebtables -I FORWARD -i $(vif) -s $(mac) -j ACCEPT ________________________________ From: Jonathan Tripathy Sent: Fri 18/06/2010 14:45 To: Jonathan Tripathy; xen-users@lists.xensource.com Subject: RE: [Xen-users] traffic sniff problem Oh and of course the other way round as well: ebtables -I FORWARD -i $(vif) -d $(mac) -j ACCEPT ________________________________ From: xen-users-bounces@lists.xensource.com on behalf of Jonathan Tripathy Sent: Fri 18/06/2010 14:39 To: Jingyun He; xen-users@lists.xensource.com Subject: RE: [Xen-users] traffic sniff problem Hi I''m not sure if I''ve got the syntax correct, however I think you would add something like this to your vif script: ebtables -I FORWARD -o $(vif) -d $(mac) -j ACCEPT Of course you would have to have a default police of DROP first: ebtables -P FORWARD DROP Please someone correct me if i''m wrong Thanks ________________________________ From: xen-users-bounces@lists.xensource.com on behalf of Jingyun He Sent: Fri 18/06/2010 13:51 To: xen-users@lists.xensource.com Subject: [Xen-users] traffic sniff problem Hello, I have xen node, it has a few VPSes, it used bridge network mode, and we noticed that if one vps is restarted or a new vps is started, the bridge will send all traffic to all interface during a few seconds, and I did run a sniff program in one vps, it successful restrived some password with these traffic. Any solution? Thanks. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users