Re: IP Spoofing and IP Theft

Thu, 18 May 2023 07:05:53 -0700 

Hello Willard,
ACS has the configuration `api.allowed.source.cidr.list` which is a comma-separated list of IPv4/IPv6 CIDRs from which API calls can be performed. Therefore, it is possible to filter from which IP addresses the ACS will accept calls; this parameter is also configurable at the account level. 


However, the implementation of this feature uses the de-facto standard 
`X-Forwarded-For` HTTP header for getting the client IP address, and ACS 
will use whatever IP is sent in this header for filtering. Thus, this IP 
needs to be treated before reaching the ACS management server. This can 
be done in the proxy/load balancer server by checking if the IP passed 
in the `X-Forwarded-For` header matches the remote address, for example. 
Blindly accepting the header `X-Forwarded-For` is a security risk[1], 
this header is only safe when it was built from a trusted node, usually 
the first wall of defense, i.g. a firewall.



In short, ACS does not have built-in protection for IP spoofing; this 
needs to be done before the request reaches the ACS, either in a proxy 
server or firewall.



Regarding IP theft, it is proposed in issue #7369[2] and implemented in 
PR#7378[3] a functionality called public IP quarantine. This feature is 
useful for preventing IP theft, as it keeps a public IP in quarantine 
for a configurable period, which only allows the owner of the IP to 
allocate during the quarantine duration. Therefore, this feature 
prevents a user to impersonate another user by using its public IP, as 
it will be in quarantine.


Best regards,
Bryan


[1] 
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#security_and_privacy_concerns

[2] https://github.com/apache/cloudstack/issues/7369
[3] https://github.com/apache/cloudstack/pull/7378

On 18/05/2023 10:20, Jithin Raju wrote:

Hi Willard,

I believe there is something implemented using iptables,ebtables to prevent IP 
spoofing for security group enabled zones. You need to take this into account 
if you are using security group enabled zones.

-Jithin

From: Will Conrad <[email protected]>
Date: Thursday, 18 May 2023 at 1:08 PM
To: [email protected] <[email protected]>
Subject: IP Spoofing and IP Theft
Hello Community!

It looks like cloudstack has built-iin protection to prevent IP spoofing, I
am wondering what kind (if any) of protections cloudstack has built-in to
protect the environment from IP theft, or is this a consideration that
should be taken into account when designing the network layout and
offerings for tenants?

Regards,

Willard Conrad
DevOps Engineer
Hivelocity, LLC






















					Reply via email to