Hosts: are non VLAN connections risky? I can grab unused IPs without even trying

[rowan]

I have a new server at a new host and noticed that there's no protocol filtering, my server sees ARP and routing requests.

I tried an experiment where I temporarily added a random IP to my server's config and wasn't surprised when I saw that it had grabbed it. In other words, any customer can grab any unused IPs and possibly even the IPs of other customer's boxes (if they respond to the ARP request first). Responding to OSPF routing requests may also produce some interesting results.

In 2008 isn't this kinda risky, and not a common setup these days? Host says it's not cost effective to run VLANs for each dedicated server.

Thoughts from hosts?

[Shaze]

hey, i replied to your other thread but here it is again:

what host is this??? they have a pretty shitty setup if you are seeing routing information. this means that the management VLAN that should be the only VLAN receiving routing information is on the same VLAN as all the server boxes. this type of network setup is not standard practice anywhere in corporate America!

at the very least management VLAN's should be separated from other VLAN's that contain boxes so that no routing protocols or other type of important broadcasted information doesn't reach the clients.

[rowan]

I forgot this is GFY, I should have included the words "drama" and "fuck you <host name>" in the subject.

[corvette]

rowan, let me know if your still looking into information for mainstream processing

[dubsix]

wow, thats a really bad network configuration.

That host obviously doesn't know what they are doing. It's not cost effective to run vlans... that most likely means they are running an all layer2 switched network without any layer3 distribution. It costs almost nothing to deploy proper infrastructure. The only other cost would be the burn of IP space for your network/gateway/broadcast loss but even still that is an absolute MINIMAL cost of ensure the security of your network and isolation of potential problem customers

[rowan]

I discovered later that the random IP I chose to momentarily configure on my server DOES appear to have been allocated to a customer. I was receiving DNS requests that should have been going to their server.

So unfortunately it's also proven that I can grab "used" IPs as well.

I'm not interested in exploiting this but as a customer I'm concerned about someone who may. Imagine if you were able to fool their router into sending you 50&#37; of a host's customer traffic? Or even 10%?

[rowan]

bump

I suck at writing subject lines with good CTR

[Ycaza]

whats the point here if you don't out the host, some will do vlans. some will segment, will not, i am willing to bet you could do this on any host if you guess right. you could get away with it for a day or two at least. depending on the host if you are a dedicated customer you might be on a vlan with other dedicated customers, and you could grab an ip from those guys. its easy to catch guys doing that also.

[testpie]

Just here to further my networking knowledge.

[Phil21]

One huge broadcast domain is starting to (thankfully) become more and more rare in hosting setups. It's insecure (as you see), and also you're billed for layer2 broadcast traffic that is not yours (all those ARP's and other traffic you see are being billed). I've seen setups where the broadcast domain is so large, that this adds 2-3mbit/sec. Usually it's in the few kilobits/sec range though.

Definitely strange to see this day in age. Most setups are either VLAN-per-customer or server, or layer3 to the customer edge.

The large layer2 broadcast domains are also habitually looked for, and exploited by spammers. They will buy a cheap dedicated server (or exploit a virtual account...), and run scripts which will bind IP's, send spam, then unbind them after a few minutes. It can be maddening to track these down (we have a customer who had a similar setup for far too long), not to mention the "real" people who own the IP's are losing traffic during that time frame.

Good luck!

-Phil

[CurrentlySober]

i like poo

[rowan]

Quote:

Originally Posted by Phil21

One huge broadcast domain is starting to (thankfully) become more and more rare in hosting setups. It's insecure (as you see), and also you're billed for layer2 broadcast traffic that is not yours (all those ARP's and other traffic you see are being billed). I've seen setups where the broadcast domain is so large, that this adds 2-3mbit/sec. Usually it's in the few kilobits/sec range though.

Good point. So far my almost completely idle server (save for a kernel source download) is showing about 5 "kb/s" of average inbound transfer - I presume this is kiloBYTES rather than kiloBITS

Quote:

Originally Posted by Phil21

The large layer2 broadcast domains are also habitually looked for, and exploited by spammers. They will buy a cheap dedicated server (or exploit a virtual account...), and run scripts which will bind IP's, send spam, then unbind them after a few minutes. It can be maddening to track these down (we have a customer who had a similar setup for far too long), not to mention the "real" people who own the IP's are losing traffic during that time frame.

Damn, this is something I was hoping I wouldn't hear. I'll take my rose coloured glasses off now and remember that the world is a bad place.

Ycaza, I'm not "outing" them because although they have a strange and relatively insecure setup (I can't recall seeing ARP requests for everything on any other host) I don't think they've done anything particularly wrong.

As a customer I'm also concerned about being a victim of the issue I've raised.

[rowan]

Is it likely they're using a non managed switch, one that cannot even do basic filtering, eg to only permit packets on port X to/from ethernet address Y that are ARP mapped to IP address Z?

[Ycaza]

its a pain in the ass, i personally try to physically segment them, but vlans are a great way to stop it. I am actually unconcerned about who, it happens but when you do managed hosting most of clients have little access to even their own machines. in larger setups though i am sure plenty of it still occurs.