[ovs-discuss] Q. about IP-, MAC-, arp-spoofing

Oliver Francke Oliver.Francke at filoo.de
Thu Jul 26 09:38:12 UTC 2012


Hi *,

as there are many guys around here with OVS and qemu-virtualization I 
think it's the right place to ask ;)

Currently I have some basic rulesets ala:

# --- 8-< ---
ovs-ofctl add-flow vmbr0 "in_port="${PORT}" ip idle_timeout=0 
nw_dst=224.0.0.0/24 priority=40000 action=drop"
ovs-ofctl add-flow vmbr0 "in_port="${PORT}" ip idle_timeout=0 
dl_src=${MAC} nw_src=${IP} priority=39000 action=resubmit("${PORT}",1)"
ovs-ofctl add-flow vmbr0 "in_port="${PORT}" ip idle_timeout=0 
priority=100 action=drop"

ovs-ofctl add-flow vmbr0 "in_port="${PORT}" table=1 priority=100 
action=normal"
# --- 8-< ---

that is: drop some broadcasts, allow VM's configured MAC + IP to jump to 
next table, and there place some additional rules, if any.

This works, I see no more traffic if I do some changing of eth0's 
MAC-address or changing my VM's IP. Fine.

Now there are evil characters around :-\
My enemy is arp-poisoning via ettercap or arpspoof. Programs that are 
available in deb-packages.

Well, what do you do against mangled payload:

# --- 8-< ---
Hardware type: Ethernet (0x0001)
Protocol type: IP (0x0800)
.
.
Sender MAC address: 00:f1:70:00:38:b0 (00:f1:70:00:38:b0)
Sender IP address: 192.168.1.30 (192.168.1.30)
# --- 8-< ---

whereas the senders MAC is correct, and the IP is faked, it's from the 
VM I want to attack.

Is there any way in OVS to detect via offset/pattern/whatever such a mess?

Or administer a static table in OVS with valid MACs <-> IPs?

Thnx in @vance for any thoughts,

Oliver.


-- 

Oliver Francke

filoo GmbH
Moltkestraße 25a
33330 Gütersloh
HRB4355 AG Gütersloh

Geschäftsführer: S.Grewing | J.Rehpöhler | C.Kunz

Folgen Sie uns auf Twitter: http://twitter.com/filoogmbh




More information about the discuss mailing list