Would you mind sharing how you were getting other users' traffic? I am unable to replicate this, I see only STP and occasional ARP using # tcpdump -nni eth0 host not [my ip] mal On 08/04/2013 08:22 PM, Johan Boger wrote: > Hi, > > Today, I discovered that a certain large ISP specializing in cloud hosting ( > digitalocean.com), has misconfigured their network in a way that allows for > anyone to monitor customer network traffic. Per the guidelines of > responsible disclosure, I have informed the ISP in question both when I > first noticed the issue, and also before going public with the information. > As I am sure some of this info has already trickled out (or is perhaps > already common knowledge - if so, I apologize), I feel it is paramount to > get this information out there, so that customers and others who feel this > is not something they want, can act accordingly (or at least take > counter-measures to protect their information). > > What happened: > > I ordered a cloud vps (a very affordable one at that, I must say) at > digitalocean.com, using the NYC node. During the process of checking MySQL > replication between master and slave, I noticed there was a lot of > background noise in tcpdump. I kept looking and when I eliminated the ports > I was using, what was left was somewhat worrying. It seems DigitalOcean > has, using KVM and libvirt per their own recognition, put the > libvirt-interface in an overly large bridge, and then kept applying more > and more networks (multiple /24, it seems). While this might be a > convenient way of assigning new networks to an ever-growing customer stock, > it also sort of turns the entire thing into an amateur radio station (using > the word amateur here to denote the activity, not the skill level of > Digitalocean staff!). > > I want to make one thing clear. This is one of the better cloud shops I > have used (and I have used a lot). They seem to have excellent support, > provide what they claim to provide, and my billing there so far amounts to > less than a dollar (even though I've fiddled with lots of stuff). HOWEVER, > this does not mean that I want to be able to read what goes on with various > mail, ircd, web and Microsoft sql servers, in networks far outside of my > logical reach, as a customer with one IPv4. > > I am not an angry ex-customer. I will keep using their services, if this is > fixed. Which is exactly why I am sending this email. I hope that it might > add extra motivation, before someone gets their environment hacked. The way > it is now, anyone even remotely interested, could fire up a VPS in less > than a minute, and have full sniffing capabilities with hundreds (if not > thousands) of servers. All while customers are using said servers to > develop what I can only assume is important enough to host in a cloud. > > I will not paste logs as that would add nothing to my disclosure, more than > a possibility to exploit innocent users. I wish to encourage the community > to take a few steps back and not engage in target practice, while > Digitalocean undoubtedly remedies this situation (I have been in contact > with them repeatedly before coming here). > > I hope that this helps, for whatever it's worth. I will happily answer any > followups, as long as they do not include requests for additional probes. > This is where my involvement ends. I leave this information in the hands of > the community, and Digitalocean (who I hope reads this list). > > > Best Regards, > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/