6

Please explain how is it possible to sniff packets from within the datacenter.

Some background. I am studying networking options for DigitalOcean. My goal is to make sure that data exchange between hosts is secure as it may be sensitive. I read that DO's "private network" is not a real private network but instead includes all the users inside of the datacenter and isolates them from WAN.

Due to this, it is recommended to encrypt the connection between DigitalOcean's droplets that might exchange sensitive information.

I would like to better understand how is it possible to capture TCP/IP traffic that wasn't intended for your host within a reasonably secured and controlled environment of a datacenter (e.g. there's no WiFi, routing is properly configured, there's no malicious MITM possible).

Juriy
  • 163
  • 5
  • 3
    Random thought: I'd run away from an IaaS provider that insists on reinventing terminology and call VPS something nobody else uses like "droplets"? – jjmontes Mar 17 '17 at 18:24
  • 3
    How is that worse than Linode which calls their VPSs... "linodes"? – Nathan Osman Mar 17 '17 at 19:17

2 Answers2

5

To perform a successful MITM attack you need one of two things (assuming encryption is not utilized).

  • Exist on the same network of the traffic you are trying to intercept
  • Exist on the path of information of the traffic you are trying to intercept

This means that if someone else has a droplet on the same subnet as you they can potentially eavesdrop on the communications that exist on that network. This monitoring could be done with the help of a network analyzer tool like Wireshark, or with a technique called ARP Poisoning if the conditions are correct.

I don't have any intimate insider knowledge of how the DO droplet isolation or network configuration works, but anytime you transmit sensitive data between any machine (even when both machines exist on the same trusted network) you should be leveraging TLS to mitigate traffic interception.

DKNUCKLES
  • 9,237
  • 2
  • 37
  • 47
  • That said, though, traffic is usually correctly switched in datacenters, which means you'll not be able to see any traffic that is not directed to your MAC addresses. In any case, you need to check the situation with your particular provider. If your traffic between hosts is high, you will be better off with a proper private network (ie Amazon VPC) , saving you from the infrastructure costs of encrypting all connections between your hosts. – jjmontes Mar 17 '17 at 18:28
5

If your application runs on a datacenter, you trust that datacenter. If you have isolation requirements, you describe it and if the provider tells you that they are met, you should trust him, or not use his service at all.

That being said, if you just use a low cost hosting, where the provider just allows you to install your application on his machines, all traffic between 2 nodes should be encrypted, because you cannot know what is installed on same network and who controls it.

Remember: the sysadmin on a datacenter has physical and low level access on any machine in the datacenter, so you should considere than any data in the datacenter can be read by the datacenter admins. The protection past that point is legal and no longer technic.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84