[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Xen bridge allows to sniff traffic destined to other domUs in same dom0

Hi Peter,

Thank you so much :)

--
Regards,
Sherin

On Tue, Jan 15, 2013 at 1:51 AM, Peter Viskup <skupko.sk@xxxxxxxxx> wrote:
> On 01/14/2013 12:21 PM, Sherin George wrote:
>>
>> Hi Guys,
>>
>> I am working as syadmin for a hosting company.
>>
>> Recently one of our customers came to me saying that he can view
>> traffic not destined to his VPS(domU) which are not broadcast.
>>
>> I created a test VPS(domU) in the hardware node(dom0) and found that
>> what customer claimed may be correct.
>>
>> I did tcpdump in my tes VPS testvps.example.com and I could see
>> traffic as customer explained. So I think my customer was true about
>> what he said.
>>
>> I tried to access the website customer-website.net hosted in the
>> customer VPS server1.customer-server.net(10.5.36.89). Then I logged
>> into testvps.example.com&  checked tcpdump. I found that traffic from
>>
>> my office IP 192.168.57.86 to server1.customer-website.net server is
>> showing in testvps.example.com.
>>
>> ==========================
>> 336630167 2230533262>
>> 07:10:38.479684 IP 192.168.57.86.39811>  10.5.36.89.http: . ack 8368 win
>> 454
>> 07:10:38.482157 IP 192.168.57.86.39811>  10.5.36.89.http: P
>> 1960:2456(496) ack 8368 win 454
>> 07:10:38.520554 IP 192.168.57.86.54362>  10.5.36.89.http: . ack 8093 win
>> 408
>> 07:10:38.522452 IP 192.168.57.86.54362>  10.5.36.89.http: P
>> 1493:1990(497) ack 8169 win 408
>> 07:10:38.637627 IP 192.168.57.86.36133>  10.5.36.89.http: . ack 9827 win
>> 454
>> 07:10:38.643413 IP 192.168.57.86.36133>  10.5.36.89.http: . ack 11167 win
>> 499
>> 07:10:38.704186 IP 192.168.57.86.56264>  10.5.36.89.http: . ack 7627 win
>> 363
>> 07:10:38.744250 IP 192.168.57.86.56264>  10.5.36.89.http: . ack 7954 win
>> 408
>> ==========================
>>
>> I was under the impression that domU(VPS) will get only broadcast
>> traffic other than packets actually destined to them. Bridge is
>> supposed to send packets to MAC address than broadcasting. So, this
>> behavior is interesting, something that need to be investigated
>> further and may be fixed if possible.
>>
>> Could anyone please provide any insight into what might be happening ?
>>
>> Note: I replaced actual IP addresses for privacy
>>
>>
>> Thanks in advance.
>> Sherin
>
>
> Hi Sherin,
> all that is just expected and it just shows that your bridge is working
> correctly.
> Once you are interested in reading about Linux bridging read some of these:
>  - http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge
>  -
> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s2-networkscripts-interfaces_network-bridge.html
>  - http://wiki.debian.org/BridgeNetworkConnections
> You didn't mentioned what OS do you use for dom0, but I anticipate it is
> Linux.
> In that case the ebtables should help you to secure your network environment
> and restrict the packet flow only to the interfaces they are related to.
>
> Best regards,
> --
> Peter Viskup

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.