ARP proxy going rogue, part 2: tracing the kernel
Introduction This is a story of ARP Proxy going rogue. Writing down that story took more than I expected so it’s split in two different posts.
In the first part I explained what proxy ARP is and how it’s used in GRNET Ganeti clusters to provide public IPv4 to guest vms. I referred to the incident of a certain host hijacking all IPv4 addresses within a VLAN.
In this second part I track down this particular behavior by reading the linux source code, setting up a Debian Buster testbed environment with network namespaces, and playing around with python scapy, eBPF Compiler Collection toolkit and linux kernel static tracepoints.
[Read More]