[ovs-discuss] Q. about IP-, MAC-, arp-spoofing

Jesse Gross jesse at nicira.com
Thu Jul 26 15:17:00 UTC 2012


On Thu, Jul 26, 2012 at 2:38 AM, Oliver Francke <Oliver.Francke at filoo.de> wrote:
> Hi *,
>
> as there are many guys around here with OVS and qemu-virtualization I think
> it's the right place to ask ;)
>
> Currently I have some basic rulesets ala:
>
> # --- 8-< ---
> ovs-ofctl add-flow vmbr0 "in_port="${PORT}" ip idle_timeout=0
> nw_dst=224.0.0.0/24 priority=40000 action=drop"
> ovs-ofctl add-flow vmbr0 "in_port="${PORT}" ip idle_timeout=0 dl_src=${MAC}
> nw_src=${IP} priority=39000 action=resubmit("${PORT}",1)"
> ovs-ofctl add-flow vmbr0 "in_port="${PORT}" ip idle_timeout=0 priority=100
> action=drop"
>
> ovs-ofctl add-flow vmbr0 "in_port="${PORT}" table=1 priority=100
> action=normal"
> # --- 8-< ---
>
> that is: drop some broadcasts, allow VM's configured MAC + IP to jump to
> next table, and there place some additional rules, if any.
>
> This works, I see no more traffic if I do some changing of eth0's
> MAC-address or changing my VM's IP. Fine.
>
> Now there are evil characters around :-\
> My enemy is arp-poisoning via ettercap or arpspoof. Programs that are
> available in deb-packages.
>
> Well, what do you do against mangled payload:
>
> # --- 8-< ---
> Hardware type: Ethernet (0x0001)
> Protocol type: IP (0x0800)
> .
> .
> Sender MAC address: 00:f1:70:00:38:b0 (00:f1:70:00:38:b0)
> Sender IP address: 192.168.1.30 (192.168.1.30)
> # --- 8-< ---
>
> whereas the senders MAC is correct, and the IP is faked, it's from the VM I
> want to attack.
>
> Is there any way in OVS to detect via offset/pattern/whatever such a mess?
>
> Or administer a static table in OVS with valid MACs <-> IPs?

Well you can match on the IPs and MACs in the payload of ARP packets
using flows and drop anything that doesn't hit.



More information about the discuss mailing list