API tools faq
paste
lyfsy

How to prevent VPS users from changing allocated IPs?

lyfsy
Jan 23rd, 2020
405
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.63 KB | None | 0 0
raw download clone embed print report
  1. How to prevent VPS users from changing allocated IPs?
  2. Not sure where this thread belongs, apologies if this is the wrong forum.
  3. ++++++++++++++
  4. list of top cheapest host http://Listfreetop.pw
  5.  
  6. Top 200 best traffic exchange sites http://Listfreetop.pw
  7.  
  8. free link exchange sites list http://Listfreetop.pw
  9. list of top ptc sites
  10. list of top ptp sites
  11. Listfreetop.pw
  12. Listfreetop.pw
  13. +++++++++++++++
  14.  
  15. Seems like a huge risk where an errant VPS user could change his IP to a different IP like the gateway and take down the full network?
  16.  
  17. I've noticed that XenOrchestra has a feature to lock IPs but I can't find the option in XenServer/XCP-ng so I assume it must be a XO specific thing? Unfortunately, XO doesn't link with the popular billing software.
  18.  
  19. I've also not managed to find an option with Proxmox which is the preferred deployment software.
  20. Well - no, that's not how that works.
  21.  
  22. Reminder: Routing, especially when it comes to a gateway address, doesn't care a lick what your IP address is, because it only sends to the MAC address of that gateway. They can try spoofing that - but in practice it isn't going to work since then it becomes a race condition as to which interface sees packets for that MAC first - the gateway or the VM.
  23.  
  24. Your gateway is going to win that race 100% of the time.
  25.  
  26. If the VPS tries to assign itself the gateway IP or spoofs its MAC address the only thing they succeed in doing is knocking themselves offline. It is not nor should it be much of a concern for you.
  27.  
  28. Xen Orchestra's VIF locking (which, yes, is available in XenServer) isn't about security concerns like yours, at least not to that extent. It's about not permitting VMs to utilize more resources than they may have purchased, since other IPs within the same CIDR would be fair game to any VM in that block.
  29.  
  30. So grabbing the gateway IP isn't going to be a concern for you but perhaps assigning themselves other, unused IPs in that same IP range could be done.
  31.  
  32. In $YEARS of selling VMs we've never seen anyone try and change their IP info or steal IPs they were not assigned - except entirely by accident.
  33.  
  34. Bad Actors already have what they want if they have a functioning VM - they're not going to start doing things that draws attention to themselves if they can help it.
  35.  
  36. bitcoins mining and badlist
  37. serversworld.org
  38. hosting his presence
  39. 1 hosting 2 domain
  40. inventivehosting.co.uk
  41. hosting r code
  42. host with the most
  43. residualincomeinabox.biz
  44.  
  45. "I've seen spam you people wouldn't believe. Routers on fire off the OCs of AGIS. I watched MXes burning in the dark near the Cyberpromo Gateway. All those moments will be lost in time, like tears in rain. TTL=0."
  46. Thank you for the reply. I have a slightly better understanding now. Some follow up questions:
  47.  
  48. 1. Are you allocating IPs via DHCP? What is the backend responsible for this?
  49. 2. How do you protect against VMs adding more IPs than they were allocated? Do you have tools to detect IPs being used that have not been allocated or do you rely on feedback by the customer that finds out his IP is already in use?
  50. Nope. Statics only.
  51. 2. How do you protect against VMs adding more IPs than they were allocated?
  52. We don't. In my original reply I mentioned that we've never had anyone try it, so there's never been a need to engineer against it.
  53.  
  54. We've had clueless newbies trash their network configuration accidentally but all they ever accomplished was to knock their own VM offline. No one has ever tried to allocate to themselves IPs they were not already authorized to use.
  55.  
  56. You are wringing your hands over an extremely low probability event. People who are Up To No Good (and not the fun kind like in Hogwart's) do not want to draw attention to themselves and that's a pretty fast way of doing that. They want to fly under the radar and do their nefarious deeds without you noticing them.
  57. "I've seen spam you people wouldn't believe. Routers on fire off the OCs of AGIS. I watched MXes burning in the dark near the Cyberpromo Gateway. All those moments will be lost in time, like tears in rain. TTL=0."
  58. We don't. In my original reply I mentioned that we've never had anyone try it, so there's never been a need to engineer against it.
  59.  
  60. We've had clueless newbies trash their network configuration accidentally but all they ever accomplished was to knock their own VM offline. No one has ever tried to allocate to themselves IPs they were not already authorized to use.
  61.  
  62. You are wringing your hands over an extremely low probability event. People who are Up To No Good (and not the fun kind like in Hogwart's) do not want to draw attention to themselves and that's a pretty fast way of doing that. They want to fly under the radar and do their nefarious deeds without you noticing them.
  63. Do you mind sharing what you use to manage the IP space? I'm exploring Proxmox right now and I don't see the option to add an IP address to the NIC when creating a VM.
  64.  
  65. If the VPS goes offline due to a bad config, how do you restore access to the customer? Do you have some sort of rollback tool available or do you have to intervene manually?
  66.  
  67. You don't need to be attempting DDoS to want to use more IPs than allocated, some people might take joy in using 10 IPs when only paying for 1, no?
  68.  
  69. Would you isolate each VM traffic in their own VLAN?
  70.  
  71. Thanks again for the replies!
  72. VLANs may work to block usages of IPs that a client should not be using. I believe openstack has ACL type setups for IPs also but have not looked to much at that. Networking is fun.
  73. If the VPS goes offline due to a bad config, how do you restore access to the customer? Do you have some sort of rollback tool available or do you have to intervene manually?
  74. Console is your friend. Either you or if you had available, they could console to the VM and fix the network config issue. For example, with proxmox usage of KVM, you open VM manager in ubuntu, connect to the master, double click the VM and you're greeted with the console. The console requires no networking beyond the master's network to function in this case .
  75. This doesn't seem very efficient to be manually restoring the network for a customer's mistake. Is there a way the customer can restore it themselves?
  76. VLANs may work to block usages of IPs that a client should not be using. I believe openstack has ACL type setups for IPs also but have not looked to much at that. Networking is fun.
  77. Until you run out of VLANs? How would you route traffic between VMs? Through the gateway?
  78. This doesn't seem very efficient to be manually restoring the network for a customer's mistake.
  79. Unless you know precisely how they went about breaking it then you can't actually automate the fix for it, can you?
  80.  
  81. Someone has to go in and at the console figure out "OK buddy, what the hell did you do here?" ... because you can't even know that it's really a broken network configuration until you get into the machine and start poking around in it.
  82.  
  83. Quote Originally Posted by webhost4all View Post
  84. Is there a way the customer can restore it themselves?
  85. They have access to the exact same console - the difficulty is they're the ones making the mistakes, aren't they?
  86.  
  87. If they have to ask us to fix it and they don't have a management plan then we're gonna bill 'em admin time for that.
  88. "I've seen spam you people wouldn't believe. Routers on fire off the OCs of AGIS. I watched MXes burning in the dark near the Cyberpromo Gateway. All those moments will be lost in time, like tears in rain. TTL=0."
  89. Unless you know precisely how they went about breaking it then you can't actually automate the fix for it, can you?
  90.  
  91. Someone has to go in and at the console figure out "OK buddy, what the hell did you do here?" ... because you can't even know that it's really a broken network configuration until you get into the machine and start poking around in it.
  92.  
  93. They have access to the exact same console - the difficulty is they're the ones making the mistakes, aren't they?
  94.  
  95. If they have to ask us to fix it and they don't have a management plan then we're gonna bill 'em admin time for that.
  96. Ah yes, that makes sense if you bill them for the time spent fixing it. How do you usually proposition the extra charges? Before working on it? Or after fixing it?
  97.  
  98. Another unrelated question, should HVs have public facing IPs with iptables only allowing the billing platform and a management VM or private facing IPs with a VPN tunnel through a management VM?
  99. If you are all Xen, you could use Open vSwitch as your network bridge--you could drop some rules into the flow tables to prevent tenants from using resources that do not belong to them.
  100.  
  101. It's somewhat involved, but it does work!
  102.  
  103. Check out nw_dst, nw_src, and dl_dst match criteria in the Open vSwitch ovs-ofctl docs!
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!