Xen project Mailing List

Re: [Xen-users] Xen bridge allows to sniff traffic destined to other domUs in same dom0

To: "Peter Viskup" <skupko.sk@xxxxxxxxx>, "Sherin George" <list@xxxxxxxxxxxxxxx>

From: "Nick Couchman" <Nick.Couchman@xxxxxxxxx>

Date: Tue, 15 Jan 2013 08:35:44 -0700

Delivery-date: Tue, 15 Jan 2013 15:37:06 +0000

List-id: Xen user discussion <xen-users.lists.xen.org>

>>> On 2013/01/14 at 13:21, Peter Viskup <skupko.sk@xxxxxxxxx> wrote: > On 01/14/2013 12:21 PM, Sherin George wrote: >> Hi Guys, >> >> I am working as syadmin for a hosting company. >> >> Recently one of our customers came to me saying that he can view >> traffic not destined to his VPS(domU) which are not broadcast. >> >> I created a test VPS(domU) in the hardware node(dom0) and found that >> what customer claimed may be correct. >> >> I did tcpdump in my tes VPS testvps.example.com and I could see >> traffic as customer explained. So I think my customer was true about >> what he said. >> >> I tried to access the website customer-website.net hosted in the >> customer VPS server1.customer-server.net(10.5.36.89). Then I logged >> into testvps.example.com& checked tcpdump. I found that traffic from >> my office IP 192.168.57.86 to server1.customer-website.net server is >> showing in testvps.example.com. >> >> ========================== >> 336630167 2230533262> >> 07:10:38.479684 IP 192.168.57.86.39811> 10.5.36.89.http: . ack 8368 win 454 >> 07:10:38.482157 IP 192.168.57.86.39811> 10.5.36.89.http: P >> 1960:2456(496) ack 8368 win 454 >> 07:10:38.520554 IP 192.168.57.86.54362> 10.5.36.89.http: . ack 8093 win 408 >> 07:10:38.522452 IP 192.168.57.86.54362> 10.5.36.89.http: P >> 1493:1990(497) ack 8169 win 408 >> 07:10:38.637627 IP 192.168.57.86.36133> 10.5.36.89.http: . ack 9827 win 454 >> 07:10:38.643413 IP 192.168.57.86.36133> 10.5.36.89.http: . ack 11167 win 499 >> 07:10:38.704186 IP 192.168.57.86.56264> 10.5.36.89.http: . ack 7627 win 363 >> 07:10:38.744250 IP 192.168.57.86.56264> 10.5.36.89.http: . ack 7954 win 408 >> ========================== >> >> I was under the impression that domU(VPS) will get only broadcast >> traffic other than packets actually destined to them. Bridge is >> supposed to send packets to MAC address than broadcasting. So, this >> behavior is interesting, something that need to be investigated >> further and may be fixed if possible. >> >> Could anyone please provide any insight into what might be happening ? >> >> Note: I replaced actual IP addresses for privacy >> >> >> Thanks in advance. >> Sherin > > Hi Sherin, > all that is just expected and it just shows that your bridge is working > correctly. > Once you are interested in reading about Linux bridging read some of these: > - http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge > - > https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/htm > l/Deployment_Guide/s2-networkscripts-interfaces_network-bridge.html > - http://wiki.debian.org/BridgeNetworkConnections > You didn't mentioned what OS do you use for dom0, but I anticipate it is > Linux. > In that case the ebtables should help you to secure your network > environment and restrict the packet flow only to the interfaces they are > related to. > You could also look into setting up and using Open-vSwitch, instead of the built-in bridge. It should act more like a switch and isolate traffic. In addition, it provides a lot of other features that are useful in virtual environments and is fast become the default for many cloud hosting systems (XCP and XenServer, particularly). -Nick -------- This e-mail may contain confidential and privileged material for the sole use of the intended recipient. If this email is not intended for you, or you are not responsible for the delivery of this message to the intended recipient, please note that this message may contain SEAKR Engineering (SEAKR) Privileged/Proprietary Information. In such a case, you are strictly prohibited from downloading, photocopying, distributing or otherwise using this message, its contents or attachments in any way. If you have received this message in error, please notify us immediately by replying to this e-mail and delete the message from your mailbox. Information contained in this message that does not relate to the business of SEAKR is neither endorsed by nor attributable to SEAKR. _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx http://lists.xen.org/xen-users

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.