Promiscuous Colocation?

Sniffer

This blog moved to a new server located in France a few weeks ago but I’m still running the old server located in a data center in Zaventem(BE).

For debugging purpose, I started a tcpdump on the box and was surprised to see a *lot* of traffic not mine! WTF!? Let’s compile a local ngrep for the fun…

# /usr/local/sbin/ngrep -d fxp0 -q PASS not host a.b.c.d
interface: fxp0 (a.b.c.d/255.255.255.240)
filter: (ip or ip6) and ( not host a.b.c.d )
match: PASS

T x.x.x.x:40008 -> x.x.x.x:110 [AP]
  PASS paul025..

T x.x.x.x:40018 -> x.x.x.x:110 [AP]
  PASS paul025..

T x.x.x.x:40023 -> x.x.x.x:110 [AP]
  PASS wx122929..

T x.x.x.x:35819 -> x.x.x.x:110 [AP]
  PASS 068f76e1..

T x.x.x.x:65119 -> x.x.x.x:110 [AP]
  PASS id2310..

T x.x.x.x:57300 -> x.x.x.x:110 [AP]
  PASS hallokes2423..

T x.x.x.x:1569 -> x.x.x.x:110 [AP]
  PASS sw2920sw..

Ah, I forget to mention this one particularly safe:

T x.x.x.x:51055 -> x.x.x.x:110 [AP]
  PASS 123456..

Is my server connected on a trunk port? Is my dedicated port left in monitoring mode? No idea but I can grab a *lot* of traffic! I’ll contact the admin over there and try to explain them the “problem”.

Even if this is “funny”, as a security professional, I’ve to take care about this issue. I sniffed some traffic to investigate and no trace of captured packets was saved. But, what will happen if the same security hole is available to other servers managed by malicious admins? Once again, never trust anybody and always encrypt your traffic!

One comment

  1. Dumpfile or it didn’t happen.
    Seriously, if I was you, I’d grab everything (for “research” purposes), GPG it and hide somewhere.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.