You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cloudstack.apache.org by Will Conrad <wc...@hivelocity.net.INVALID> on 2023/05/18 12:07:14 UTC

IP Spoofing and IP Theft

Hello Community!

It looks like cloudstack has built-iin protection to prevent IP spoofing, I
am wondering what kind (if any) of protections cloudstack has built-in to
protect the environment from IP theft, or is this a consideration that
should be taken into account when designing the network layout and
offerings for tenants?

Regards,

Willard Conrad
DevOps Engineer
Hivelocity, LLC

Re: IP Spoofing and IP Theft

Posted by Bryan Lima <br...@scclouds.com.br>.

Hello Willard,

ACS has the configuration `api.allowed.source.cidr.list` which is a 
comma-separated list of IPv4/IPv6 CIDRs from which API calls can be 
performed. Therefore, it is possible to filter from which IP addresses 
the ACS will accept calls; this parameter is also configurable at the 
account level.

However, the implementation of this feature uses the de-facto standard 
`X-Forwarded-For` HTTP header for getting the client IP address, and ACS 
will use whatever IP is sent in this header for filtering. Thus, this IP 
needs to be treated before reaching the ACS management server. This can 
be done in the proxy/load balancer server by checking if the IP passed 
in the `X-Forwarded-For` header matches the remote address, for example. 
Blindly accepting the header `X-Forwarded-For` is a security risk[1], 
this header is only safe when it was built from a trusted node, usually 
the first wall of defense, i.g. a firewall.

In short, ACS does not have built-in protection for IP spoofing; this 
needs to be done before the request reaches the ACS, either in a proxy 
server or firewall.

Regarding IP theft, it is proposed in issue #7369[2] and implemented in 
PR#7378[3] a functionality called public IP quarantine. This feature is 
useful for preventing IP theft, as it keeps a public IP in quarantine 
for a configurable period, which only allows the owner of the IP to 
allocate during the quarantine duration. Therefore, this feature 
prevents a user to impersonate another user by using its public IP, as 
it will be in quarantine.

Best regards,
Bryan

[1] 
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#security_and_privacy_concerns
[2] https://github.com/apache/cloudstack/issues/7369
[3] https://github.com/apache/cloudstack/pull/7378

On 18/05/2023 10:20, Jithin Raju wrote:
> Hi Willard,
>
> I believe there is something implemented using iptables,ebtables to prevent IP spoofing for security group enabled zones. You need to take this into account if you are using security group enabled zones.
>
> -Jithin
>
> From: Will Conrad <wc...@hivelocity.net.INVALID>
> Date: Thursday, 18 May 2023 at 1:08 PM
> To: users@cloudstack.apache.org <us...@cloudstack.apache.org>
> Subject: IP Spoofing and IP Theft
> Hello Community!
>
> It looks like cloudstack has built-iin protection to prevent IP spoofing, I
> am wondering what kind (if any) of protections cloudstack has built-in to
> protect the environment from IP theft, or is this a consideration that
> should be taken into account when designing the network layout and
> offerings for tenants?
>
> Regards,
>
> Willard Conrad
> DevOps Engineer
> Hivelocity, LLC

Re: IP Spoofing and IP Theft

Posted by Hean Seng <he...@gmail.com>.

 I think you are not possible to do this on share network, where next hop
of the network is directly your physical router.  Nobody know the IP is
Spoof if your VM change the IP  Itself instead of following the DHCP.

If you really want to achieve this, you may self write a script to read ARP
records from your Router and compare it to VM MAC Address ,  if it is not
matched, then will be Spoof.

You can avoid this by using. Advance  , NAT  Network Group where the Public
IP is not control by the VM.




On Tue, Jun 6, 2023 at 7:13 PM Will Conrad <wc...@hivelocity.net.invalid>
wrote:

> How might one go about achieving this functionality without using security
> groups? Is there another way *through cloudstack* to limit the users'
> ability to change their instance IP address or otherwise use an arbitrary
> IP address?
>
> For instance, if using a shared network for internet access with a publicly
> routable class C assigned, a new instance/vm assigned to that network will
> consume one of those IPs. What's to stop the user from manually changing
> their IP or manually adding another IP from that subnet, which is
> effectively "stealing" a second IP (aside from the obvious, that when
> cloudstack tries to assign that "stolen" IP to another instance there will
> be IP collisions on the network)?
>
> We really need to understand how this functionality works and what we can
> do to prevent bad actors from being bad actors.
>
> Regards,
>
> Willard Conrad
> DevOps Engineer
> Hivelocity, LLC
>
> On Mon, May 22, 2023 at 10:02 AM Will Conrad <wc...@hivelocity.net>
> wrote:
>
> > Hi Wei,
> >
> > Thanks for your response. Advanced zone is being used with a guest
> network
> > type "shared". Disclaimer, I neither setup nor configured this
> > cloustack zone or instance. How can I tell if security groups were
> enabled
> > when the zone was created? At this point, I am leaning towards they
> > weren't, but need to confirm.
> >
> > Regards,
> >
> > Willard
> >
> > On Mon, May 22, 2023 at 8:40 AM Wei ZHOU <us...@gmail.com> wrote:
> >
> >> Hi Will,
> >>
> >> What type of zone and network do you use ?
> >>
> >> As said before, the functionality works in the Advanced zones with
> >> security
> >> groups (as well as the Basic zones).
> >> If you use the advanced zone and isolated networks (it seems so), there
> is
> >> no such functionality, as far as I know.
> >>
> >> -Wei
> >>
> >>
> >> On Mon, 22 May 2023 at 14:00, Will Conrad <wconrad@hivelocity.net
> >> .invalid>
> >> wrote:
> >>
> >> > Thank you everyone, for your responses.
> >> >
> >> > I feel the need to further clarify my question:
> >> > The spoofing and IP theft this thread is concerned with is related to
> >> bad
> >> > actors on cloudstack instances attempting to send out traffic as a
> >> > different IP or attempting to utilize network IPs that aren't/weren't
> >> > assigned to said VM by cloudstack.
> >> >
> >> > Based on some of the responses and a jira ticket from an old
> cloudstack
> >> > version: https://issues.apache.org/jira/browse/CLOUDSTACK-8559
> >> > I thought I would confirm that the spoofing and IP theft I am
> >> immediately
> >> > concerned with would not be an issue. However, I find that I am able
> to
> >> > manually modify an instance IP (from within the instance) and maintain
> >> > connectivity using the modified IP after removing the original
> >> > cloudstack-assigned IP.
> >> >
> >> > Method of modification was using iproute2 tools from within the VM: ip
> >> addr
> >> > add ..., ip addr del ..., ip route add ...
> >> >
> >> > Example: created new instance, received cloudstack assigned public IP,
> >> > confirmed working. Logged into instance, manually added "stolen" IP,
> >> > manually removed cloudstack assigned IP, re-added default gateway,
> >> tested
> >> > connectivity. Instance was able to communicate on the internet by both
> >> > sending and receiving outbound pings, performing DNS resolution, and
> >> > accepting inbound ssh connects via the new manually added IP.
> >> >
> >> > This is contradictory to what I expected. Does something have to be
> >> done to
> >> > enable this anti-spoofing functionality? Are there details I am
> missing?
> >> >
> >> > Regards,
> >> >
> >> > Willard Conrad
> >> > DevOps Engineer
> >> > Hivelocity, LLC
> >> >
> >> >
> >> >
> >> > On Thu, May 18, 2023 at 11:07 AM Wei ZHOU <us...@gmail.com>
> >> wrote:
> >> >
> >> > > Yes, as Jithin said cloudstack uses iptables/ebtables/ipset to
> >> prevent IP
> >> > > spoofing in advanced zone with security groups.
> >> > >
> >> > > If the IP or mac address of vm instance is modified inside the vm by
> >> the
> >> > > user, the vm will not work.
> >> > >
> >> > > -Wei
> >> > >
> >> > >
> >> > > On Thursday, 18 May 2023, Jithin Raju <ji...@shapeblue.com>
> >> wrote:
> >> > >
> >> > > > Hi Willard,
> >> > > >
> >> > > > I believe there is something implemented using iptables,ebtables
> to
> >> > > > prevent IP spoofing for security group enabled zones. You need to
> >> take
> >> > > this
> >> > > > into account if you are using security group enabled zones.
> >> > > >
> >> > > > -Jithin
> >> > > >
> >> > > > From: Will Conrad <wc...@hivelocity.net.INVALID>
> >> > > > Date: Thursday, 18 May 2023 at 1:08 PM
> >> > > > To: users@cloudstack.apache.org <us...@cloudstack.apache.org>
> >> > > > Subject: IP Spoofing and IP Theft
> >> > > > Hello Community!
> >> > > >
> >> > > > It looks like cloudstack has built-iin protection to prevent IP
> >> > > spoofing, I
> >> > > > am wondering what kind (if any) of protections cloudstack has
> >> built-in
> >> > to
> >> > > > protect the environment from IP theft, or is this a consideration
> >> that
> >> > > > should be taken into account when designing the network layout and
> >> > > > offerings for tenants?
> >> > > >
> >> > > > Regards,
> >> > > >
> >> > > > Willard Conrad
> >> > > > DevOps Engineer
> >> > > > Hivelocity, LLC
> >> > > >
> >> > > >
> >> > > >
> >> > > >
> >> > >
> >> >
> >>
> >
>


-- 
Regards,
Hean Seng

Re: IP Spoofing and IP Theft

Posted by Will Conrad <wc...@hivelocity.net.INVALID>.

How might one go about achieving this functionality without using security
groups? Is there another way *through cloudstack* to limit the users'
ability to change their instance IP address or otherwise use an arbitrary
IP address?

For instance, if using a shared network for internet access with a publicly
routable class C assigned, a new instance/vm assigned to that network will
consume one of those IPs. What's to stop the user from manually changing
their IP or manually adding another IP from that subnet, which is
effectively "stealing" a second IP (aside from the obvious, that when
cloudstack tries to assign that "stolen" IP to another instance there will
be IP collisions on the network)?

We really need to understand how this functionality works and what we can
do to prevent bad actors from being bad actors.

Regards,

Willard Conrad
DevOps Engineer
Hivelocity, LLC

On Mon, May 22, 2023 at 10:02 AM Will Conrad <wc...@hivelocity.net> wrote:

> Hi Wei,
>
> Thanks for your response. Advanced zone is being used with a guest network
> type "shared". Disclaimer, I neither setup nor configured this
> cloustack zone or instance. How can I tell if security groups were enabled
> when the zone was created? At this point, I am leaning towards they
> weren't, but need to confirm.
>
> Regards,
>
> Willard
>
> On Mon, May 22, 2023 at 8:40 AM Wei ZHOU <us...@gmail.com> wrote:
>
>> Hi Will,
>>
>> What type of zone and network do you use ?
>>
>> As said before, the functionality works in the Advanced zones with
>> security
>> groups (as well as the Basic zones).
>> If you use the advanced zone and isolated networks (it seems so), there is
>> no such functionality, as far as I know.
>>
>> -Wei
>>
>>
>> On Mon, 22 May 2023 at 14:00, Will Conrad <wconrad@hivelocity.net
>> .invalid>
>> wrote:
>>
>> > Thank you everyone, for your responses.
>> >
>> > I feel the need to further clarify my question:
>> > The spoofing and IP theft this thread is concerned with is related to
>> bad
>> > actors on cloudstack instances attempting to send out traffic as a
>> > different IP or attempting to utilize network IPs that aren't/weren't
>> > assigned to said VM by cloudstack.
>> >
>> > Based on some of the responses and a jira ticket from an old cloudstack
>> > version: https://issues.apache.org/jira/browse/CLOUDSTACK-8559
>> > I thought I would confirm that the spoofing and IP theft I am
>> immediately
>> > concerned with would not be an issue. However, I find that I am able to
>> > manually modify an instance IP (from within the instance) and maintain
>> > connectivity using the modified IP after removing the original
>> > cloudstack-assigned IP.
>> >
>> > Method of modification was using iproute2 tools from within the VM: ip
>> addr
>> > add ..., ip addr del ..., ip route add ...
>> >
>> > Example: created new instance, received cloudstack assigned public IP,
>> > confirmed working. Logged into instance, manually added "stolen" IP,
>> > manually removed cloudstack assigned IP, re-added default gateway,
>> tested
>> > connectivity. Instance was able to communicate on the internet by both
>> > sending and receiving outbound pings, performing DNS resolution, and
>> > accepting inbound ssh connects via the new manually added IP.
>> >
>> > This is contradictory to what I expected. Does something have to be
>> done to
>> > enable this anti-spoofing functionality? Are there details I am missing?
>> >
>> > Regards,
>> >
>> > Willard Conrad
>> > DevOps Engineer
>> > Hivelocity, LLC
>> >
>> >
>> >
>> > On Thu, May 18, 2023 at 11:07 AM Wei ZHOU <us...@gmail.com>
>> wrote:
>> >
>> > > Yes, as Jithin said cloudstack uses iptables/ebtables/ipset to
>> prevent IP
>> > > spoofing in advanced zone with security groups.
>> > >
>> > > If the IP or mac address of vm instance is modified inside the vm by
>> the
>> > > user, the vm will not work.
>> > >
>> > > -Wei
>> > >
>> > >
>> > > On Thursday, 18 May 2023, Jithin Raju <ji...@shapeblue.com>
>> wrote:
>> > >
>> > > > Hi Willard,
>> > > >
>> > > > I believe there is something implemented using iptables,ebtables to
>> > > > prevent IP spoofing for security group enabled zones. You need to
>> take
>> > > this
>> > > > into account if you are using security group enabled zones.
>> > > >
>> > > > -Jithin
>> > > >
>> > > > From: Will Conrad <wc...@hivelocity.net.INVALID>
>> > > > Date: Thursday, 18 May 2023 at 1:08 PM
>> > > > To: users@cloudstack.apache.org <us...@cloudstack.apache.org>
>> > > > Subject: IP Spoofing and IP Theft
>> > > > Hello Community!
>> > > >
>> > > > It looks like cloudstack has built-iin protection to prevent IP
>> > > spoofing, I
>> > > > am wondering what kind (if any) of protections cloudstack has
>> built-in
>> > to
>> > > > protect the environment from IP theft, or is this a consideration
>> that
>> > > > should be taken into account when designing the network layout and
>> > > > offerings for tenants?
>> > > >
>> > > > Regards,
>> > > >
>> > > > Willard Conrad
>> > > > DevOps Engineer
>> > > > Hivelocity, LLC
>> > > >
>> > > >
>> > > >
>> > > >
>> > >
>> >
>>
>

Re: IP Spoofing and IP Theft

Posted by Will Conrad <wc...@hivelocity.net.INVALID>.

Hi Wei,

Thanks for your response. Advanced zone is being used with a guest network
type "shared". Disclaimer, I neither setup nor configured this
cloustack zone or instance. How can I tell if security groups were enabled
when the zone was created? At this point, I am leaning towards they
weren't, but need to confirm.

Regards,

Willard

On Mon, May 22, 2023 at 8:40 AM Wei ZHOU <us...@gmail.com> wrote:

> Hi Will,
>
> What type of zone and network do you use ?
>
> As said before, the functionality works in the Advanced zones with security
> groups (as well as the Basic zones).
> If you use the advanced zone and isolated networks (it seems so), there is
> no such functionality, as far as I know.
>
> -Wei
>
>
> On Mon, 22 May 2023 at 14:00, Will Conrad <wc...@hivelocity.net.invalid>
> wrote:
>
> > Thank you everyone, for your responses.
> >
> > I feel the need to further clarify my question:
> > The spoofing and IP theft this thread is concerned with is related to bad
> > actors on cloudstack instances attempting to send out traffic as a
> > different IP or attempting to utilize network IPs that aren't/weren't
> > assigned to said VM by cloudstack.
> >
> > Based on some of the responses and a jira ticket from an old cloudstack
> > version: https://issues.apache.org/jira/browse/CLOUDSTACK-8559
> > I thought I would confirm that the spoofing and IP theft I am immediately
> > concerned with would not be an issue. However, I find that I am able to
> > manually modify an instance IP (from within the instance) and maintain
> > connectivity using the modified IP after removing the original
> > cloudstack-assigned IP.
> >
> > Method of modification was using iproute2 tools from within the VM: ip
> addr
> > add ..., ip addr del ..., ip route add ...
> >
> > Example: created new instance, received cloudstack assigned public IP,
> > confirmed working. Logged into instance, manually added "stolen" IP,
> > manually removed cloudstack assigned IP, re-added default gateway, tested
> > connectivity. Instance was able to communicate on the internet by both
> > sending and receiving outbound pings, performing DNS resolution, and
> > accepting inbound ssh connects via the new manually added IP.
> >
> > This is contradictory to what I expected. Does something have to be done
> to
> > enable this anti-spoofing functionality? Are there details I am missing?
> >
> > Regards,
> >
> > Willard Conrad
> > DevOps Engineer
> > Hivelocity, LLC
> >
> >
> >
> > On Thu, May 18, 2023 at 11:07 AM Wei ZHOU <us...@gmail.com> wrote:
> >
> > > Yes, as Jithin said cloudstack uses iptables/ebtables/ipset to prevent
> IP
> > > spoofing in advanced zone with security groups.
> > >
> > > If the IP or mac address of vm instance is modified inside the vm by
> the
> > > user, the vm will not work.
> > >
> > > -Wei
> > >
> > >
> > > On Thursday, 18 May 2023, Jithin Raju <ji...@shapeblue.com>
> wrote:
> > >
> > > > Hi Willard,
> > > >
> > > > I believe there is something implemented using iptables,ebtables to
> > > > prevent IP spoofing for security group enabled zones. You need to
> take
> > > this
> > > > into account if you are using security group enabled zones.
> > > >
> > > > -Jithin
> > > >
> > > > From: Will Conrad <wc...@hivelocity.net.INVALID>
> > > > Date: Thursday, 18 May 2023 at 1:08 PM
> > > > To: users@cloudstack.apache.org <us...@cloudstack.apache.org>
> > > > Subject: IP Spoofing and IP Theft
> > > > Hello Community!
> > > >
> > > > It looks like cloudstack has built-iin protection to prevent IP
> > > spoofing, I
> > > > am wondering what kind (if any) of protections cloudstack has
> built-in
> > to
> > > > protect the environment from IP theft, or is this a consideration
> that
> > > > should be taken into account when designing the network layout and
> > > > offerings for tenants?
> > > >
> > > > Regards,
> > > >
> > > > Willard Conrad
> > > > DevOps Engineer
> > > > Hivelocity, LLC
> > > >
> > > >
> > > >
> > > >
> > >
> >
>

Re: IP Spoofing and IP Theft

Posted by Wei ZHOU <us...@gmail.com>.

Hi Will,

What type of zone and network do you use ?

As said before, the functionality works in the Advanced zones with security
groups (as well as the Basic zones).
If you use the advanced zone and isolated networks (it seems so), there is
no such functionality, as far as I know.

-Wei


On Mon, 22 May 2023 at 14:00, Will Conrad <wc...@hivelocity.net.invalid>
wrote:

> Thank you everyone, for your responses.
>
> I feel the need to further clarify my question:
> The spoofing and IP theft this thread is concerned with is related to bad
> actors on cloudstack instances attempting to send out traffic as a
> different IP or attempting to utilize network IPs that aren't/weren't
> assigned to said VM by cloudstack.
>
> Based on some of the responses and a jira ticket from an old cloudstack
> version: https://issues.apache.org/jira/browse/CLOUDSTACK-8559
> I thought I would confirm that the spoofing and IP theft I am immediately
> concerned with would not be an issue. However, I find that I am able to
> manually modify an instance IP (from within the instance) and maintain
> connectivity using the modified IP after removing the original
> cloudstack-assigned IP.
>
> Method of modification was using iproute2 tools from within the VM: ip addr
> add ..., ip addr del ..., ip route add ...
>
> Example: created new instance, received cloudstack assigned public IP,
> confirmed working. Logged into instance, manually added "stolen" IP,
> manually removed cloudstack assigned IP, re-added default gateway, tested
> connectivity. Instance was able to communicate on the internet by both
> sending and receiving outbound pings, performing DNS resolution, and
> accepting inbound ssh connects via the new manually added IP.
>
> This is contradictory to what I expected. Does something have to be done to
> enable this anti-spoofing functionality? Are there details I am missing?
>
> Regards,
>
> Willard Conrad
> DevOps Engineer
> Hivelocity, LLC
>
>
>
> On Thu, May 18, 2023 at 11:07 AM Wei ZHOU <us...@gmail.com> wrote:
>
> > Yes, as Jithin said cloudstack uses iptables/ebtables/ipset to prevent IP
> > spoofing in advanced zone with security groups.
> >
> > If the IP or mac address of vm instance is modified inside the vm by the
> > user, the vm will not work.
> >
> > -Wei
> >
> >
> > On Thursday, 18 May 2023, Jithin Raju <ji...@shapeblue.com> wrote:
> >
> > > Hi Willard,
> > >
> > > I believe there is something implemented using iptables,ebtables to
> > > prevent IP spoofing for security group enabled zones. You need to take
> > this
> > > into account if you are using security group enabled zones.
> > >
> > > -Jithin
> > >
> > > From: Will Conrad <wc...@hivelocity.net.INVALID>
> > > Date: Thursday, 18 May 2023 at 1:08 PM
> > > To: users@cloudstack.apache.org <us...@cloudstack.apache.org>
> > > Subject: IP Spoofing and IP Theft
> > > Hello Community!
> > >
> > > It looks like cloudstack has built-iin protection to prevent IP
> > spoofing, I
> > > am wondering what kind (if any) of protections cloudstack has built-in
> to
> > > protect the environment from IP theft, or is this a consideration that
> > > should be taken into account when designing the network layout and
> > > offerings for tenants?
> > >
> > > Regards,
> > >
> > > Willard Conrad
> > > DevOps Engineer
> > > Hivelocity, LLC
> > >
> > >
> > >
> > >
> >
>

Re: IP Spoofing and IP Theft

Posted by Will Conrad <wc...@hivelocity.net.INVALID>.

Thank you everyone, for your responses.

I feel the need to further clarify my question:
The spoofing and IP theft this thread is concerned with is related to bad
actors on cloudstack instances attempting to send out traffic as a
different IP or attempting to utilize network IPs that aren't/weren't
assigned to said VM by cloudstack.

Based on some of the responses and a jira ticket from an old cloudstack
version: https://issues.apache.org/jira/browse/CLOUDSTACK-8559
I thought I would confirm that the spoofing and IP theft I am immediately
concerned with would not be an issue. However, I find that I am able to
manually modify an instance IP (from within the instance) and maintain
connectivity using the modified IP after removing the original
cloudstack-assigned IP.

Method of modification was using iproute2 tools from within the VM: ip addr
add ..., ip addr del ..., ip route add ...

Example: created new instance, received cloudstack assigned public IP,
confirmed working. Logged into instance, manually added "stolen" IP,
manually removed cloudstack assigned IP, re-added default gateway, tested
connectivity. Instance was able to communicate on the internet by both
sending and receiving outbound pings, performing DNS resolution, and
accepting inbound ssh connects via the new manually added IP.

This is contradictory to what I expected. Does something have to be done to
enable this anti-spoofing functionality? Are there details I am missing?

Regards,

Willard Conrad
DevOps Engineer
Hivelocity, LLC

On Thu, May 18, 2023 at 11:07 AM Wei ZHOU <us...@gmail.com> wrote:

> Yes, as Jithin said cloudstack uses iptables/ebtables/ipset to prevent IP
> spoofing in advanced zone with security groups.
>
> If the IP or mac address of vm instance is modified inside the vm by the
> user, the vm will not work.
>
> -Wei
>
>
> On Thursday, 18 May 2023, Jithin Raju <ji...@shapeblue.com> wrote:
>
> > Hi Willard,
> >
> > I believe there is something implemented using iptables,ebtables to
> > prevent IP spoofing for security group enabled zones. You need to take
> this
> > into account if you are using security group enabled zones.
> >
> > -Jithin
> >
> > From: Will Conrad <wc...@hivelocity.net.INVALID>
> > Date: Thursday, 18 May 2023 at 1:08 PM
> > To: users@cloudstack.apache.org <us...@cloudstack.apache.org>
> > Subject: IP Spoofing and IP Theft
> > Hello Community!
> >
> > It looks like cloudstack has built-iin protection to prevent IP
> spoofing, I
> > am wondering what kind (if any) of protections cloudstack has built-in to
> > protect the environment from IP theft, or is this a consideration that
> > should be taken into account when designing the network layout and
> > offerings for tenants?
> >
> > Regards,
> >
> > Willard Conrad
> > DevOps Engineer
> > Hivelocity, LLC
> >
> >
> >
> >
>