Question

Is private networking secure against ARP/IP spoof attacks?

Posted October 26, 2017 1.6k views
SecurityNetworking

I’m wondering whether I can expect private networking to protect against ARP spoofing attacks (whether it’s validating that noone is claiming an IP that isn’t theirs on the eth1 network).

On the plus side, on AMS3 I don’t see any arp requests for other hosts being broadcasted when I’m listening to the private network - I only see direct requests. This tells me that there’s at least some sort of filtering in place.

On the minus side, there are posts like https://www.peerlyst.com/posts/arp-spoofing-docker-containers-philippe-bogaerts - I’m not about to replicate that without requesting permission first, but it looks like the filtering isn’t perfect.

There are a lot of posts out there recommending setting up iptables for the DO private network, which is sound advice in itself, but will not suffice if ARP spoofing is possible, as you can’t trust an IP address on the local subnet if people can mess with ARP. DO itself seems to recommend iptables, so you would think they assume ARP to be secure, but then there’s the peerlyst.com guy’s article

So my question is:

  • Does DO actively try to prevent ARP spoofing on the private network? (Can I trust IP/ARP mapping)
  • Does DO promise to prevent ARP spoofing where possible, or is it more a ‘reasonable effort’ thing ?

I think the bottom line is.. either we can trust the ARP filtering, and then iptables are good enough. Or we can’t, and the Internet should just delete all articles about private networking & firewalls, and just tell us to move completely to VPNs or other forms of encrypted + authenticated traffic, even on the private networks.

PS: I’ve read https://www.digitalocean.com/community/questions/how-secure-is-private-networking but that question appears to be about whether the private network is like a VPC/private VPN - but that’s not my concern, I’m okay with the private network being shared and unfiltered at the IP level

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers

Well, just got
http://pages.news.digitalocean.com/n/NI000ELV0016F2D0zXN0d36 in my mail. Guess this should resolve my concerns next februari.

Hi there,

I just came across this question, with the new DigitalOcean VPC networks, your resources are completely isolated from both other customers and other VPCs on your own account. See here for more details:

https://www.digitalocean.com/docs/networking/vpc/

It’s also worth pointing out that DigitalOcean private networks provided account level isolation since July 18, 2018. The big changes with the release of VPCs are:

  • You can create multiple VPCs that are isolated from each other
  • You can define the IP range for your VPCs yourself

Source

Submit an Answer