This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] traffic sniff problem

To: Jonathan Tripathy <jonnyt@xxxxxxxxxxx>
Subject: Re: [Xen-users] traffic sniff problem
From: Felix Kuperjans <felix@xxxxxxxxxxxxxxxxxx>
Date: Fri, 18 Jun 2010 15:21:47 +0200
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 18 Jun 2010 06:31:24 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <46C13AA90DB8844DAB79680243857F0F0AFD34@xxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <AANLkTil4-Xjs42mUa3wuYC35TF5ZlTygORHobe7EcaAn@xxxxxxxxxxxxxx> <4C1B6F26.60504@xxxxxxxxxxxxxxxxxx> <46C13AA90DB8844DAB79680243857F0F0AFD34@xxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20100613 Shredder/3.0.4
Don't forget incoming ones. Of course this basically works, but I think the method is not as good:

Filtering a bridge is:
Send the traffic everywhere, but drop it with iptables/ebtables anywhere, where it should not go. This leaves you with a 90% or more drop rate (performance issue).

Routing is:
Send the the traffic where it should go, and control with iptables, that it really only goes there and no ip spoofing is happening. As long as no one is doing something evil, you wont have any dropped packages (and much less invocations of your iptables chains).

Both is possible, and none is secure by default, but I personally think that routing is better for servers, bridging better for LANs (because of broadcasts / DHCP).

Am 18.06.2010 15:14, schrieb Jonathan Tripathy:
Is securing a bridge not just a matter of using ebtables to say that all traffic going out vi ana interface must be destined for a paticular MAC address?


From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx on behalf of Felix Kuperjans
Sent: Fri 18/06/2010 14:05
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] traffic sniff problem


I suggest you to use *always* routing with VPS hosting.

First reason:
Routing only sends packages to the destination host, not to all hosts.

Routing is faster and easier to filter with iptables.

Only disadvantage:
You cant route broadcasts across multiple VMs, but you won't want that
anyway, because this is only for LAN situation and your VPS may rather
consider themselves as part of the internet, not part of a LAN.

But this does mean that you need to change your whole network setup:
- Switch the vif-script to a routing one, especially with firewalling
and static mac addresses (to prevent ARP-based attacks)
- Setup iptables in the Dom0 to disallow ARP-, MAC- or IP-Spoofing and
to deny ICMP redirect packages (and probably some other ICMPs, too).

You can secure a bridge, too, but this is harder and not as efficient as

Felix Kuperjans

Am 18.06.2010 14:51, schrieb Jingyun He:
> Hello,
> I have xen node, it has a few VPSes, it used bridge network mode, and
> we noticed that if one vps is restarted or a new vps is started, the
> bridge will send all traffic to all interface during a few seconds,
> and I did run a sniff program in one vps, it successful restrived some
> password with these traffic.
> Any solution?
> Thanks.
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users

Xen-users mailing list

Xen-users mailing list