[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] A security Question

I can know the MAC from Xenstore for each domain ID. Though i did not found anything for fetching actual IP so far.

I read the solution to the similar question in xen mailing list

> I am wondering how to get current VM IP address in XenStore, does it 
> contains such information?? 

 No, it does not. xenstore keeps layer 2 (eg MAC address) information, 
but has no visibility to layer 3 (IP) and above. 

What you need to do is: 
1. get the mac address from xenstore 
2. watch IP traffic on your network with that src or dst mac address 
3. extract the IP address from that packet 
4. repeat 2-3 if you suspect that there is more than one IP address attached to that mac address. 

Since a packet can be IP spoofed? Hence  i would not like to rely on IP value of packet header for knowing the VM IP address.

So the question remains open
How do i detect IP spoofing?

I want to know

1. From which VM a packet is coming? 
2. What is the actual IP of VM.
3. What would be the syntax for this and in which script it will be added?

Please help in this regard. 

On Sat, Jul 23, 2016 at 10:33 PM, Carl Schneider <carl.schneider+mailinglists@xxxxxx> wrote:
> How about setting up filters.
> When starting the VM, setup filters to block packets (other than required broadcast/multicast ones) from the VM (set the filters on the VIF in Dom0) that don't have the right MAC or IP ?

I would also recommend that approach. To give you a starting point (How
I'd approach it):

Check out the vif-scripts in /etc/xen/scripts/ - They are typically
executed when a new vif is added to your domU and take care of setting
it up in the dom0.

Then I'd try to get the MAC and IP within that script. For this, it
looks like xenstore can be used (This is just a guess, I sadly do not
use most features of xen and run a very simple setup).
As stated in  https://www.webhostingtalk.com/showthread.php?t=1078236
you can read the MAC with `xenstore-read "$XENBUS_PATH/mac"`, the IP
should probably be available in the xenstore, too.

After this, just setup rules for your filter. For iptables, maybe check
http://tecadmin.net/mac-address-filtering-using-iptables/ for filtering
MACs - IP filtering should be pretty clear. Remember to restrict the
iptables rules to the specific vif, elsewise it may be possible that one
domU spoofs packages of another domU.
But I am not entirely sure wether this works for a bridged network (but
it should).

I hope this is a hint into the right direction. If anyone notices
something wrong, I'd be glad to hear about it!


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.