

DigitalOcean DNS/ARP Exposure - JosephRedfern

I'm not sure if this is an issue or not, but I noticed that running tcpdump on a DigitalOcean droplet shows you ARP and DNS requests. This lets you get a list of machines hosted by DigitalOcean... I might be way off here, but could this make DO vulnerable to ARP spoofing?<p>Made a quick video to demonstrate what I mean: http://www.youtube.com/watch?v=gmNaJCkGFOw
======
jeff_carr
Just FYI, I think what you are seeing is normal and arp spoofing is still
being blocked. (Open a ticket anyway, We're happy to give people free hosting
credits for reporting bugs and security holes.)

\-- Jeff Carr Chief Architect Digital Ocean Inc.

~~~
JosephRedfern
Cool, will do. I mentioned it on IRC, but I'll open a ticket too.

By the way - it's nice to see such a pro-active response from DO. Great work!

------
slyv
It might be wise to contact DigitalOcean support (or on their forums) before
posting this on a public forum that they probably will not read. Even if you
are completely wrong, there is no problem in letting their support know.

~~~
JosephRedfern
I mentioned it on the DO IRC channel, apparently it's being looked into.

