All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Explain like I'm five: Broadcast traffic
Hi,
Recently i purchased a NodeDeploy KVM VPS and was surprised by how much local traffic I get from other hosts on the network.
Majority of that traffic is broadcast traffic. It wouldn't be so weird to me that it comes from NodeDeploy's router and such but from other hosts, mainly Windowses.
It's usually NetBIOS (port 137) and Dropbox LAN Sync (port 17500). Also there's some excessive DHCP offering from those hosts.
As I'm using FreeBSD and configured PF to block everything except incoming traffic to httpd/sshd my logs are getting big and very hard to analyze for other, more important stuff.
As I'm beginner, I'm not sure if this is normal but before on other hosting provider I used (KVMShell), when I asked about this, they would just terminate the user who interfere with other hosts so I got the idea that this is indeed something that shouldn't be done.
I mean, I'm not using either DHCP nor Dropbox nor I need/want any traffic from other host on the network.
- Why hosting companies like this don't isolate all network hosts from each other with couple of simple firewall rules?
- What are security implications of this traffic?
- Should I loosen my firewall rules a bit to let this traffic in?
Thanks a ton!
Comments
When I had a RamNode KVM in Atlanta a couple months ago, I used to see a lot of broadcast traffic on those two ports. I am using Linux and just set my iptables rules to drop everything that is not unicast
-m pkttype ! --pkt-type unicast -j DROPor coming from 0.0.0.0/8. You can also block other bogus traffic, refer to the iptables article in my blog (my sig).If other people on your network use Dropbox it is normal to see broadcasts on 17500 because of the LAN sync feature. Also when they type a non-existent hostname in web browser, Windows may ask the local network via NetBIOS about that hostname before declaring that it does not exist.
My understanding is that you will see these traffic if others use Windows, unless your VPS has been placed on a /32 subnet. Just block them and you should be fine. Avoid logging these if you can.
Yes it is normal especially for Xen/KVM on software bridges, you would get it on a physical network too.
It is also acceptable for you to put a ticket it with the logs and ask the host to ask the people that run the servers to turn off the broadcasting for things like drop box.
A lot of providers will use a flat VLAN across all nodes also which doesn't help with the situation.
Damned if you do, damned if you don't
Indeed.
When it comes to dropbox there is an option to allow LAN sync of the files. Thats why you get the broadcast from dropbox clients. They scream out looking for LAN clients to sync with.
So I can freely open those ports?
As I'm not using any of those protocols what happens with those packets? What would be the best solution performance-wise?
Your server does nothing if you have no service that it requests.
It will however still process it so the best thing performance-wise is to turn off broadcast on the server that "screams".
Probably the thing NodeDeploy wont do..KVMShell would