I rent a dedicated server from a hosting provider. I ran wireshark on my server so that I could see incoming HTTP traffic that was destined to my server.
Once I ran wireshark and filtered for HTTP I noticed a load of traffic, but most of it was not for stuff that was hosted on my server and had a destination IP address that was not mine, there were various source IP addresses. My immediate reaction was to think that somebody was tunnelling their HTTP traffic through my server somehow.
However when I looked closer I noticed that all of this traffic was going to hosts on the same subnet and all of these IP addresses belonged to the same hosting provider that I was using.
So it appears that wireshark was intercepting traffic destined for other customers who's servers are attached to the same part of the network as mine.
Now I always assumed that on a switch based network that this should not happen as the switch will only send data to the required host and not to every box attached.
I assume in this case that other customers would also be able to see data going to my server. As well as potential privacy concerns, this would surely make ARP poising easy and allow others to steal IP addresses (and therefor domains and websites)?
It would seem odd that a network provider would configure the network in such a way.
Is there a more rational explanation here?
Best Answer
Clearly what you have described is a very bad practise for a shared environment and I would take it up with your hosting provider.
The most reasonable explanation would be a load balancer, possible a high availability firewall in load sharing mode within the same network segment using a multicast MAC address with a unicast IP address for routing. By using a multicast MAC more then one firewall can see the traffic and they would implement their own load balancing algorithm so online cluster members each only respond to a part of the traffic. The unicast IP address is attached to a virtual IP for the purpose of routing. Because the IP resolves to a multicast MAC any traffic sent to it get multicast on the local segment and picked up by one of the cluster nodes.
I have seen this configuration before, however without knowing the network it is only a guess, but the most likely given it is a hosting provider.
One example is NLB http://technet.microsoft.com/en-us/library/bb742455.aspx however I know Check Point firewalls in some configurations as well as a hand full of other products that do the same.
Reiterating though, it is an insecure configuration for a shared hosting model.