Hi,

Today, I discovered that a certain large ISP specializing in cloud hosting (
digitalocean.com), has misconfigured their network in a way that allows for
anyone to monitor customer network traffic. Per the guidelines of
responsible disclosure, I have informed the ISP in question both when I
first noticed the issue, and also before going public with the information.
As I am sure some of this info has already trickled out (or is perhaps
already common knowledge - if so, I apologize), I feel it is paramount to
get this information out there, so that customers and others who feel this
is not something they want, can act accordingly (or at least take
counter-measures to protect their information).

What happened:

I ordered a cloud vps (a very affordable one at that, I must say) at
digitalocean.com, using the NYC node. During the process of checking MySQL
replication between master and slave, I noticed there was a lot of
background noise in tcpdump. I kept looking and when I eliminated the ports
I was using, what was left was somewhat worrying. It seems DigitalOcean
has, using KVM and libvirt per their own recognition, put the
libvirt-interface in an overly large bridge, and then kept applying more
and more networks (multiple /24, it seems). While this might be a
convenient way of assigning new networks to an ever-growing customer stock,
it also sort of turns the entire thing into an amateur radio station (using
the word amateur here to denote the activity, not the skill level of
Digitalocean staff!).

I want to make one thing clear. This is one of the better cloud shops I
have used (and I have used a lot). They seem to have excellent support,
provide what they claim to provide, and my billing there so far amounts to
less than a dollar (even though I've fiddled with lots of stuff). HOWEVER,
this does not mean that I want to be able to read what goes on with various
mail, ircd, web and Microsoft sql servers, in networks far outside of my
logical reach, as a customer with one IPv4.

I am not an angry ex-customer. I will keep using their services, if this is
fixed. Which is exactly why I am sending this email. I hope that it might
add extra motivation, before someone gets their environment hacked. The way
it is now, anyone even remotely interested, could fire up a VPS in less
than a minute, and have full sniffing capabilities with hundreds (if not
thousands) of servers. All while customers are using said servers to
develop what I can only assume is important enough to host in a cloud.

I will not paste logs as that would add nothing to my disclosure, more than
a possibility to exploit innocent users. I wish to encourage the community
to take a few steps back and not engage in target practice, while
Digitalocean undoubtedly remedies this situation (I have been in contact
with them repeatedly before coming here).

I hope that this helps, for whatever it's worth. I will happily answer any
followups, as long as they do not include requests for additional probes.
This is where my involvement ends. I leave this information in the hands of
the community, and Digitalocean (who I hope reads this list).


Best Regards,
-- 
Johan Boger