[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Xen bridge allows to sniff traffic destined to other domUs in same dom0

To: Sherin George <list@xxxxxxxxxxxxxxx>
From: Peter Viskup <skupko.sk@xxxxxxxxx>
Date: Mon, 14 Jan 2013 21:21:34 +0100
Cc: xen-users@xxxxxxxxxxxxx
Delivery-date: Mon, 14 Jan 2013 20:22:58 +0000
List-id: Xen user discussion <xen-users.lists.xen.org>

On 01/14/2013 12:21 PM, Sherin George wrote:

Hi Guys,

I am working as syadmin for a hosting company.

Recently one of our customers came to me saying that he can view
traffic not destined to his VPS(domU) which are not broadcast.

I created a test VPS(domU) in the hardware node(dom0) and found that
what customer claimed may be correct.

I did tcpdump in my tes VPS testvps.example.com and I could see
traffic as customer explained. So I think my customer was true about
what he said.

I tried to access the website customer-website.net hosted in the
customer VPS server1.customer-server.net(10.5.36.89). Then I logged
into testvps.example.com&  checked tcpdump. I found that traffic from
my office IP 192.168.57.86 to server1.customer-website.net server is
showing in testvps.example.com.

==========================
336630167 2230533262>
07:10:38.479684 IP 192.168.57.86.39811>  10.5.36.89.http: . ack 8368 win 454
07:10:38.482157 IP 192.168.57.86.39811>  10.5.36.89.http: P
1960:2456(496) ack 8368 win 454
07:10:38.520554 IP 192.168.57.86.54362>  10.5.36.89.http: . ack 8093 win 408
07:10:38.522452 IP 192.168.57.86.54362>  10.5.36.89.http: P
1493:1990(497) ack 8169 win 408
07:10:38.637627 IP 192.168.57.86.36133>  10.5.36.89.http: . ack 9827 win 454
07:10:38.643413 IP 192.168.57.86.36133>  10.5.36.89.http: . ack 11167 win 499
07:10:38.704186 IP 192.168.57.86.56264>  10.5.36.89.http: . ack 7627 win 363
07:10:38.744250 IP 192.168.57.86.56264>  10.5.36.89.http: . ack 7954 win 408
==========================

I was under the impression that domU(VPS) will get only broadcast
traffic other than packets actually destined to them. Bridge is
supposed to send packets to MAC address than broadcasting. So, this
behavior is interesting, something that need to be investigated
further and may be fixed if possible.

Could anyone please provide any insight into what might be happening ?

Note: I replaced actual IP addresses for privacy


Thanks in advance.
Sherin


Hi Sherin,

all that is just expected and it just shows that your bridge is workingcorrectly.

Once you are interested in reading about Linux bridging read some of these:
 - http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge

-https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s2-networkscripts-interfaces_network-bridge.html

 - http://wiki.debian.org/BridgeNetworkConnections

You didn't mentioned what OS do you use for dom0, but I anticipate it isLinux.In that case the ebtables should help you to secure your networkenvironment and restrict the packet flow only to the interfaces they arerelated to.


Best regards,
--
Peter Viskup

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

Follow-Ups:
- Re: [Xen-users] Xen bridge allows to sniff traffic destined to other domUs in same dom0
  - From: Sherin George

References:
- [Xen-users] Xen bridge allows to sniff traffic destined to other domUs in same dom0
  - From: Sherin George

Prev by Date: Re: [Xen-users] Memory missing
Next by Date: [Xen-users] Xen, PAT and MTRR (Was Re: Xen and nvidia)
Previous by thread: [Xen-users] Xen bridge allows to sniff traffic destined to other domUs in same dom0
Next by thread: Re: [Xen-users] Xen bridge allows to sniff traffic destined to other domUs in same dom0
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.