Promiscuous Colocation?

This blog moved to a new server located in France a few weeks ago but I’m still running the old server located in a data center in Zaventem(BE).

For debugging purpose, I started a tcpdump on the box and was surprised to see a *lot* of traffic not mine! WTF!? Let’s compile a local ngrep for the fun…

# /usr/local/sbin/ngrep -d fxp0 -q PASS not host a.b.c.d
interface: fxp0 (a.b.c.d/255.255.255.240)
filter: (ip or ip6) and ( not host a.b.c.d )
match: PASS

T x.x.x.x:40008 -> x.x.x.x:110 [AP]
  PASS paul025..

T x.x.x.x:40018 -> x.x.x.x:110 [AP]
  PASS paul025..

T x.x.x.x:40023 -> x.x.x.x:110 [AP]
  PASS wx122929..

T x.x.x.x:35819 -> x.x.x.x:110 [AP]
  PASS 068f76e1..

T x.x.x.x:65119 -> x.x.x.x:110 [AP]
  PASS id2310..

T x.x.x.x:57300 -> x.x.x.x:110 [AP]
  PASS hallokes2423..

T x.x.x.x:1569 -> x.x.x.x:110 [AP]
  PASS sw2920sw..

Ah, I forget to mention this one particularly safe:

T x.x.x.x:51055 -> x.x.x.x:110 [AP]
  PASS 123456..

Is my server connected on a trunk port? Is my dedicated port left in monitoring mode? No idea but I can grab a *lot* of traffic! I’ll contact the admin over there and try to explain them the “problem”.

Even if this is “funny”, as a security professional, I’ve to take care about this issue. I sniffed some traffic to investigate and no trace of captured packets was saved. But, what will happen if the same security hole is available to other servers managed by malicious admins? Once again, never trust anybody and always encrypt your traffic!