qemu Guest on proxmox/qemu/kvm: foreign traffic reported by tcpdump

[kisscool-fr]

Hello,

I am trying to explain a strange behaviour I see with a FreeBSD guest I have on an external hypervisor.

My guest seems to work correctly now. I had to play with receive and transmit checksum options for external interface.

My guest's configuration:
FreeBSD 11.4 amd64 with virtio devices (disk, iface, ... )

I don't have access to the host. I'm just hosted on this hypervisor. I just know it is a proxmox host.

When I do a tcpdump on the external interface (vtnet0), I see a lot of traffic that is not for my node. I mean it's not only a broadcast traffic but packets for different services and different nodes.

Following is a part of a capture session:

reading from file ./issuetraff.dump, link-type EN10MB (Ethernet)
21:02:38.532822 IP xxx.xxx.xxx.12.41080 > xxx.xxx.xxx.203.3389: tcp 0
21:02:38.552592 IP xxx.xxx.xxx.22.13647 > xxx.xxx.xxx.60.8082: UDP, length 85
21:02:38.552614 IP xxx.xxx.xxx.17.53476 > xxx.xxx.xxx.217.3389: tcp 0
21:02:38.569288 IP xxx.xxx.xxx.13.43634 > xxx.xxx.xxx.217.7533: tcp 0
21:02:38.595649 IP xxx.xxx.xxx.244.2655 > xxx.xxx.xxx.37.445: tcp 0
21:02:38.600504 STP 802.1s, Rapid STP, CIST Flags [Proposal, Learn, Forward, Agreement], length 102
21:02:38.629172 IP xxx.xxx.xxx.144.3389 > xxx.xxx.xxx.8.3389: tcp 0
21:02:38.696554 IP xxx.xxx.xxx.74.54712 > xxx.xxx.xxx.40.445: tcp 0
21:02:38.700867 ARP, Request who-has xxx.xxx.xxx.123 tell xxx.xxx.xxx.122, length 46
21:02:38.779324 IP xxx.xxx.xxx.102.60373 > xxx.xxx.xxx.88.3389: tcp 0
21:02:38.798619 IP xxx.xxx.xxx.25.52563 > xxx.xxx.xxx.86.7193: tcp 0
21:02:38.802164 IP xxx.xxx.xxx.13.41912 > xxx.xxx.xxx.203.3389: tcp 0
21:02:38.807355 IP xxx.xxx.xxx.198.50893 > xxx.xxx.xxx.77.49189: tcp 0
21:02:38.819390 IP xxx.xxx.xxx.208.57691 > xxx.xxx.xxx.37.443: tcp 0
21:02:38.852833 IP xxx.xxx.xxx.64.32963 > xxx.xxx.xxx.186.25718: tcp 0
21:02:38.858586 IP xxx.xxx.xxx.90.64090 > xxx.xxx.xxx.7.445: tcp 0
21:02:38.859531 IP xxx.xxx.xxx.11.56320 > xxx.xxx.xxx.217.3389: tcp 0
21:02:38.887149 IP xxx.xxx.xxx.9.63480 > xxx.xxx.xxx.186.13000: tcp 0
21:02:38.909718 IP xxx.xxx.xxx.13.43634 > xxx.xxx.xxx.66.7565: tcp 0
21:02:38.968935 IP xxx.xxx.xxx.225.34664 > xxx.xxx.xxx.88.3389: tcp 0
21:02:38.985969 IP xxx.xxx.xxx.12.59700 > xxx.xxx.xxx.203.3389: tcp 0
21:02:39.013863 IP xxx.xxx.xxx.208.43929 > xxx.xxx.xxx.244.23: tcp 0
21:02:39.022850 IP xxx.xxx.xxx.76.50995 > xxx.xxx.xxx.105.52869: tcp 0
21:02:39.039853 IP xxx.xxx.xxx.17.59146 > xxx.xxx.xxx.203.3389: tcp 0
21:02:39.079838 IP6 fe80::250:56ff:fe00:1f8.546 > ff02::1:2.547: UDP, length 104
21:02:39.080307 IP6 fe80::250:56ff:feb6:f99d > ff02::1:ff00:1f8: ICMP6, neighbor solicitation, who has fe80::250:56ff:fe00:1f8, length 32
21:02:39.102900 IP xxx.xxx.xxx.105.38830 > xxx.xxx.xxx.203.3389: tcp 0
21:02:39.111294 IP xxx.xxx.xxx.16.59492 > xxx.xxx.xxx.217.3389: tcp 0
21:02:39.112860 IP xxx.xxx.xxx.93.15290 > xxx.xxx.xxx.30.445: tcp 0
21:02:39.131126 IP xxx.xxx.xxx.180.64577 > xxx.xxx.xxx.244.445: tcp 0

Source traffic is from nearly all over the world. Destination traffic is for the same range of adresses my IP belongs to. For both, source and destination, I exclude broadcast/multicast/arp traffic from the analysis, because it is a more normal traffic.

Another point is that, from the capture, traffic is only seen in one direction. From "world" to "ip range" and not the opposite.

I wonder how is it possible ? I mean I shouldn't see all this come to my host except the broad/multi/arp. Or am I missing something ?

Maybe someone have any idea to explain that.

Thanks,
K.

 

[VladiBG]

Do you see the arp also? Is the mac address same for all clients? Seeing the rest of the traffic means that the virtual switch is not isolating the guest machines from each other and there may be possibility of executing arp poisoning or address spoofing which is security issue. You should not see such traffic on the interface and better to contact your hosting provider and let him know.

You can also try with verbose mode on tcpdump the check if you see the actual data in those packets. If you see it you actually can sniff the traffic in one direction... which is not good.

 

[kisscool-fr]

Do you see the arp also?

I see arp packets as shown in the sample above. Like other traffic sniffed, they are only in one direction (arp requests).

Is the mac address same for all clients?

After testing some ip adresses I can't find duplicates. In addition a part of the traffic seems to be for non existing nodes or maybe somewhere else (no reply to pings and/or no resolution for arp requests).

As of the rest of your reply, I plan to let them know but before I wanted to understand what is happening. It's the first time I see such a behaviour.

You can also try with verbose mode on tcpdump the check if you see the actual data in those packets. If you see it you actually can sniff the traffic in one direction... which is not good.

Unfortunately, yes I can see. There is not so much packets with valuable data, but there is. Most of them are packets with 0 length payload and non common flags.