Can users sniff each other's packets and perform man in the middle attacks?

asked 2020-03-04 11:31:11 -0500

qumulus gravatar image

Say that I have a user (user A)that creates a VM that hosts a LAMP stack. However, user A does not enable https, and people logging in to the user's website will have unencrypted data going to/from the VM. Can other OpenStack users, who are malicious, sniff packets that go from/to the VM of user A? In this malicious scenario, would other users then be able to gather any unencrypted data (potentially login info) that get transferred to the VM? And can these malicious users do spoofing and man-in-the-middle attacks? Let's assume that the malicious OpenStack users can create VMs that will be in the same subnet as user A, and assume that the malicious OpenStack users don't have access or have not broken into the hypervisors.

edit retag flag offensive close merge delete

Comments

1

Sure they can, if traffic is unencrypted and goes through a floating IP. But that is so for physical servers as well, and any server outside a cloud.

To install a VM on the same subnet as user A, you must be in the same project as A. I think A should be careful whom they invite to their project.

Bernd Bausch gravatar imageBernd Bausch ( 2020-03-04 14:20:35 -0500 )edit

@Bernd-Baush, in my case the VMs all use the same network/subnet, even though the users are on different projects. The network is of provider:network_type = flat. and provider:physical_network=mynetwork, as specified in linuxbridge_agent.ini ([linux_bridge] Physical_interface_mappings = mynetwork).

qumulus gravatar imagequmulus ( 2020-03-04 15:05:42 -0500 )edit
1

Then there is no problem seeing traffic of other projects. If you want to avoid that, you need a different architecture.

Bernd Bausch gravatar imageBernd Bausch ( 2020-03-04 15:28:56 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
1

answered 2020-03-05 11:26:38 -0500

zaneb gravatar image

It depends on the network architecture of your deployment. It is certainly possible to stand up an OpenStack deployment where tenant networks are completely separated from each other, using either VLANs or some sort of overlay networking.

However, provider:network_type = flat offers no such protections.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2020-03-04 11:31:11 -0500

Seen: 54 times

Last updated: Mar 05