Re: [ovs-discuss] Q. about IP-, MAC-, arp-spoofing

Thu, 26 Jul 2012 08:30:54 -0700 

Hi Jesse,

Am 26.07.2012 um 17:17 schrieb Jesse Gross <je...@nicira.com>:

> On Thu, Jul 26, 2012 at 2:38 AM, Oliver Francke <oliver.fran...@filoo.de> 
> wrote:
>> Hi *,
>> 
>> as there are many guys around here with OVS and qemu-virtualization I think
>> it's the right place to ask ;)
>> 
>> Currently I have some basic rulesets ala:
>> 
>> # --- 8-< ---
>> ovs-ofctl add-flow vmbr0 "in_port="${PORT}" ip idle_timeout=0
>> nw_dst=224.0.0.0/24 priority=40000 action=drop"
>> ovs-ofctl add-flow vmbr0 "in_port="${PORT}" ip idle_timeout=0 dl_src=${MAC}
>> nw_src=${IP} priority=39000 action=resubmit("${PORT}",1)"
>> ovs-ofctl add-flow vmbr0 "in_port="${PORT}" ip idle_timeout=0 priority=100
>> action=drop"
>> 
>> ovs-ofctl add-flow vmbr0 "in_port="${PORT}" table=1 priority=100
>> action=normal"
>> # --- 8-< ---
>> 
>> that is: drop some broadcasts, allow VM's configured MAC + IP to jump to
>> next table, and there place some additional rules, if any.
>> 
>> This works, I see no more traffic if I do some changing of eth0's
>> MAC-address or changing my VM's IP. Fine.
>> 
>> Now there are evil characters around :-\
>> My enemy is arp-poisoning via ettercap or arpspoof. Programs that are
>> available in deb-packages.
>> 
>> Well, what do you do against mangled payload:
>> 
>> # --- 8-< ---
>> Hardware type: Ethernet (0x0001)
>> Protocol type: IP (0x0800)
>> .
>> .
>> Sender MAC address: 00:f1:70:00:38:b0 (00:f1:70:00:38:b0)
>> Sender IP address: 192.168.1.30 (192.168.1.30)
>> # --- 8-< ---
>> 
>> whereas the senders MAC is correct, and the IP is faked, it's from the VM I
>> want to attack.
>> 
>> Is there any way in OVS to detect via offset/pattern/whatever such a mess?

>> 
>> Or administer a static table in OVS with valid MACs <-> IPs?
> 
> Well you can match on the IPs and MACs in the payload of ARP packets
> using flows and drop anything that doesn't hit.

Well sir, I cannot, at least I tried to go through man-pages etc. My plan was 
to add a flow for all arp-packets, then handle all things in a second table. 
But I have no idea _how_, hence this mail ;)
If its something obvious, excuse my blind 8-)

Thnx again,

Oliver.

> _______________________________________________
> discuss mailing list
> discuss@openvswitch.org
> http://openvswitch.org/mailman/listinfo/discuss

_______________________________________________
discuss mailing list
discuss@openvswitch.org
http://openvswitch.org/mailman/listinfo/discuss

Reply via email to