I rent a dedicated server from a hosting provider. I ran wireshark on my server so that I could see incoming HTTP traffic that was destined to my server.
Once I ran wireshark and filtered for HTTP I noticed a load of traffic, but most of it was not for stuff that was hosted on my server and had a destination IP address that was not mine, there were various source IP addresses. My immediate reaction was to think that somebody was tunnelling their HTTP traffic through my server somehow.
However when I looked closer I noticed that all of this traffic was going to hosts on the same subnet and all of these IP addresses belonged to the same hosting provider that I was using.
So it appears that wireshark was intercepting traffic destined for other customers who's servers are attached to the same part of the network as mine.
Now I always assumed that on a switch based network that this should not happen as the switch will only send data to the required host and not to every box attached.
I assume in this case that other customers would also be able to see data going to my server. As well as potential privacy concerns, this would surely make ARP poising easy and allow others to steal IP addresses (and therefor domains and websites)?
It would seem odd that a network provider would configure the network in such a way. Is there a more rational explanation here?
Clearly what you have described is a very bad practise for a shared environment and I would take it up with your hosting provider.
The most reasonable explanation would be a load balancer, possible a high availability firewall in load sharing mode within the same network segment using a multicast MAC address with a unicast IP address for routing. By using a multicast MAC more then one firewall can see the traffic and they would implement their own load balancing algorithm so online cluster members each only respond to a part of the traffic. The unicast IP address is attached to a virtual IP for the purpose of routing. Because the IP resolves to a multicast MAC any traffic sent to it get multicast on the local segment and picked up by one of the cluster nodes.
I have seen this configuration before, however without knowing the network it is only a guess, but the most likely given it is a hosting provider.
One example is NLB http://technet.microsoft.com/en-us/library/bb742455.aspx however I know Check Point firewalls in some configurations as well as a hand full of other products that do the same.
Reiterating though, it is an insecure configuration for a shared hosting model.
Switches work like this:
By default, they operate as a hub; all traffic goes out all interfaces. But once traffic comes inbound with a given source MAC, traffic destined for that MAC will only go out that interface. If a given MAC is seen on multiple interfaces, it will go out on both; possibly eventually resetting and only going out the one where traffic was most recently seen.
That's the default behavior. It't the only behavior for cheaper hardware, but managed switches can be configured to your heart's content. So anything is possible. Note that at no point did I mention IP addresses; switches traditionally work on layer 2, not 3. Expensive managed switches can blur the line with routers, but traditionally they only worry about MAC addresses. However, poor configuration can override the typical switching behavior and do away with any sort of host isolation.
There's one other thing worth mentioning though: A bridge. How is that relevant? It matters if your hardware is virtualized, as is becoming increasingly common even with "dedicated" (definitely in air quotes) hosting providers. Specifically, VMs are connected to the network either by co-opting the network adapter or by attaching to a virtual network within the box, typically set up as a bridge. In both cases, all the VMs are on the same switch segment, which means packet-capture-palooza.
Finally, they could be using a hub. Yeah, probably not. But just sayin.