All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Script to detect IP stealing in XEN (SolusVM Hosts)
AnthonySmith
Member, Patron Provider
Hi Folks,
As many of us that use SolusVM and Xen and I assume KVM and possibly OpenVZ too SolusVM has had a major bug since IPv6 was implemented and that is that if you turn on IP Stealing detection for IPv4 apart from th fact that it does not even alert you it completely disables IPv6.
Initially SolusVM said that it was due to ebtables in CentOS 5 not supporting IPv6, ebtables have supported IPv6 since 2.6.16 so I found that hard to accept but assumed they tested it well to make that statement.
Now That I have moved in to CentOS 6 and the same problem exists the new reason is that "It must be a problem with ebtables" which is not the case either ebtables supports ipv6 just fine it is the eb_php that solusvm produce that seems to cause the issue.
They have worked around the issue by adding a '?' next to the feature saying it may cause an issue with ipv6
I understand this is probably a complicated thing to work on but it has been a bug that they have refused to acknowledge as such for over a year.
/rant
When this first started happening I wrote a script for detection, it was horrible and clunky and frankly I forgot about it hoping that solusvm would fix their ebtables implementation.
After yet another case of a spammer IP stealing I got sick and sat for an afternoon yesterday rewriting everything.
GET IT HERE: http://pastie.org/private/rrhexp7uqh8907oxpb3wtq
I am not a coder/script'r so it might not look pretty but it works, it checks all IP's you have assigned to customers, matches them up with their assigned mac address, touches every ip in your node range, dumps the arp cache, excudes the gateway etc and runs a diff, little bit of extra logic applied and emails you with detail if it finds a problem.
should not be hard to adapt for KVM/OpenVZ if required but wont be done by me unless someone provides a test bed:)
Thanks to @joepie91 for the python script to clean up the authorised list.
@KuJoe was asking about this a while back so hope its of use to you too.
I never usually release anything I write because its ugly but thought this might help others, I made plenty of comments so other people know what it is doing.
released under WTFPL i.e. do what you want with it.
Be Kind.
Anthony.
Comments
@soluslabs maybe you could look at the logic behind this and implement an alternative method rather than ebtables which will not block obviously but will at least alert.
FYI, IP stealing is somewhat prevented in OVZ with the concept of the 'venet' interface, as containers are not allowed to set their own network config. This script may be of interest to @joepie91 in his quest to implement 'veth' interfaces with OVZ.
This will help with Solus' drain bamage regarding assigning the same IP to multiple containers, then 'forgetting' which container it's truly assigned to. Thank you!
@damian nice one thanks, I was not aware of that as I don't use OpenVZ daily.
Try running traffic shaping on CentOS 6 with KVM, memory increases about 10MB per minute until you turn it back off.
No explanation as to why yet.
It always did that just to a lesser extent especially on Xen, from what I could find out it is directly related to the restriction you place as a %
e.g restricting 50 VPSes to 100mbit on a gbit link is going to cause serious issues over time with stability, you wont have enough contracks and your buckets will not be big enough to hold all the packets queueing up for delivery.
Because the restriction is occurring at the bridge your essentially DDOS'ing yourself by putting a 90% traffic restriction in place.
I learned this the hard way by restricting 5 active VM to 10mbit on a gbit link back in the 1.7.x days the node load went too 200+ and hung in less than 30 minutes, then under control I could enable and disable at will and watch the load jump up and down.
bottom line, dont traffic restrict by more than 10 - 20%:)
If the shaping was done differently e.g. not spaing at all but actually affecting the driver in the container to only try to use xx mbit then maybe it would work, but as that is in userland control it will never work.
@solusvm
I don't think you will have luck tagging @solusvm, he has made it very clear that he doesn't like this forum (or it's members). Maybe you should also post this on their support forum (if they have one) or WHT.
@gsrdgrdghd done
Nice effort there @anthonysmith. Did you look at arpwatch? source here: http://ee.lbl.gov/ available in most UNIX distros as a package.
@craigb I did come across it a while back, the documentation is pretty poor though and it will not work with Xen/SolusVM out of the box.
Thanks @AnthonySmith!
heh just finished setting it up on all the nodes caught 2 more IP thieves that otherwise would have gone undetected
Awesome stuff, thank you @AnthonySmith
@AnthonySmith
I would like to see this work for KVM as well. What do you need to test this on KVM?
Thanks Anthony and Joe.
One company used this forum to blast their product without any proof, to cover up their shortcomings. Why would you come back?
@soluslabs still comes back to read but not post I guess, Last Active 12:31PM
For KVM, it should be possible to extract the valid/legit IP & MAC info from the /etc/dhcpd.conf file.
This the format of each record:
host kvm187.0 { hardware ethernet ab:cd:ef:12:34:56; option routers xx.xx.xx.xx; option subnet-mask 255.255.255.0; fixed-address 12.34.56.78; option domain-name-servers 8.8.8.8,8.8.4.4; }So to create the /tmp/authlist file, we'd need @joepie91's python magic to take the above format and extract the appropriate values so that it look's like this:
That would only help with the main IPs though. Additional IPs can only be extracted from the SolusVM database (or API?).
Also the more they respond, the more they explain more they get attacked, so you're right - why would anyone come back under those conditions anyway?
If they'd cared about writing proper software, they'd have responded welcoming towards criticism, and tried to fix it. They clearly don't, and choose to avoid it instead.
[joepie91] guess they're mad that they got criticized...
[AsadH] joepie91, after he responds he jsut gets criticized more :P
[Wintereise] Makes sense to not respond
[Wintereise] If you ask me
[Wintereise] LET is full of idiots and douchebags.
[Wintereise] So meh.
That's more or less all about this topic.
[AsadH] joepie91, after he responds he jsut gets criticized more :P
[Wintereise] Makes sense to not respond
[Wintereise] If you ask me
[Wintereise] LET is full of idiots and douchebags.
[Wintereise] So meh.
Then let's not forget what came after.
It makes no difference. You will be douchebag in response to them no matter what Solus guy say. It's in your nature
Now go and write "brilliant" response and then share link at IRC (as usually you do) to show to others how cool you are 
Thanks Ant I'll take a look
-Phill
It's funny how people always automatically disregard any reason I give for criticizing someone, and just assume I have some kind of grudge that magically appears for some people and not for others, and the reason I give cannot possibly be a valid reason.
Makes total sense.
First person who can find 10 threads on LET that have not turned slightly negative in under 24 hours wins a free 128MB VPS for a year.
Posting this at 22:20 GMT+0 you have 1 hour.
grouphug
@anthonysmith http://www.lowendtalk.com/discussion/5930/have-a-laugh-post-something-comical#Item_33
I won.
@NHRoel
Thats 1
Oh you meant 10?
root access to a KVM node running SolusVM