Troubleshooting Denial of Service attack in virtual infrastructure cluster
Article ID: 330048
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
This article provides guidance on the physical switch configuration in unique scenarios discussed in Symptoms section.
Symptoms:
- With a Physical Switch, the Spanning Tree Protocol is enabled to avoid any loops in the network. Typically, network loops are created when customers connect two or more ports of the same switch to an adjacent switch. This loop scenario creates havoc in the network because the same packet is bounced around the loop and ultimately brings the network down. Spanning Tree Protocol detects such loops and blocks certain switch ports to remove the loops. VMware Virtual Switch does not support Spanning Tree Protocol because it differs from the Physical switch in terms of transparent bridging function and topology learning. Virtual Switch has the knowledge where each MAC address is connected to and does not depend on the learning through packet headers and also does not create loops. As a networking best practice, customers should do this configuration on their physical switches:
- Use PortFast on an ESXi host-facing physical switch ports. With this setting, network convergence on these switch ports takes place quickly after the failure because the port will enter the STP forwarding state immediately, bypassing the listening and learning states.
- Use the PortFast Bridge Protocol Data Unit (BPDU) guard feature to enforce the STP boundary. This configuration protects against any invalid device connection on the ESXi host-facing access switch ports. As previously mentioned, VDS does not support STP, so it does not send any BPDU frames to the switch port. However, if any BPDU is seen on these ESXi host-facing access switch ports, the BPDU guard feature puts that particular switch port in error-disabled state. The switch port is completely shut down and prevents affecting the Spanning Tree Topology.
- This setting of PortFast and BPDU Guard causes issues in customer's virtual infrastructure when a virtual machine starts sending BPDU frames and in turn disables the physical switch port on which the virtual machine traffic is sent across. When the VMware vSphere infrastructure detects the physical switch port failure, it moves the virtual machine traffic to another vmnic connected to another physical switch port. Now the BPDU packets are seen on this new physical switch port and the switch blocks that port too. This ultimately causes a Denial of Service attack situation across the virtual infrastructure cluster.
- In a data center that hosts virtualized servers on the vSphere platform, the default configuration of PortFast and BPDU guard is the recommended configuration. Virtual servers with applications running on them are less prone to generate BPDU frames. However, there are two other scenarios where BPDU frames can be generated in the virtual infrastructure.
- Valid use case: Customers deploying VPN that is connected through a Windows Bridge device or Bridge function running on a virtual machine.
- Security vulnerability: Virtual machine is generating BPDUs.
Cause
The DoS attack occurs in the deployments where a client VPN software is running on a virtual machine and BPDU guard is enabled on physical switches.
This issue may also occur if a virtual machine is compromised and begins sending BPDU packets.
Resolution
This section provides information on unique use cases and the recommended configurations.
Use Case 1: Default (No VPN and no Bridging function on a virtual machine)
On the Virtual Switch:
- Under Security Properties of the port group, change Forged Transmit to Reject. This configuration stops the BPDU frames going out to the physical switch ports.
On the Physical Switch:
- Keep the PortFast and BPDU guard configuration.
Use Case 2: To resolve the issue of VPN deployment on a virtual machine, you must do these configuration changes:
On the Virtual Switch
- Under Security Properties of the port group, change Forged Transmit to Accept. This configuration allows the BPDU frames to go out on the physical switch ports.
On the Physical Switch
- Keep the PortFast configuration.
- Configure BPDU filter on individual physical switch port. With this configuration, when a BPDU is received on the physical port, those packets are filtered out. Do not configure BPDU filter globally. If configured globally, the PortFast mode is disabled and all physical switch ports perform full STP functions.
Use Case 3: Bridge
Bridge running on a virtual machine with two vnics connected to the same layer 2 network. This is the suggested configuration with such deployments.
On the Virtual Switch
- Under Security Properties of the port group, change Forged Transmit to Accept. This configuration allows the BPDU frames to go out on the physical switch ports.
On the Physical Switch
- Do not choose PortFast configuration. Run STP on the ports where the virtual bridge device is connected to the external switch ports.
- Do not choose BPDU guard or BPDU filter.
Use Case 4: In Security Vulnerability cases, this configuration protects from any DoS attack
On the Virtual Switch
- Under security properties of the port group, change Forged Transmit to Reject. This configuration stops the BPDU frames that go out on the physical switch ports with different source MAC address.
On the Physical Switch
- Keep the PortFast configuration.
- Configure BPDU filter on an individual physical switch port. With this configuration, when a BPDU is received on the physical port, those packets are filtered out. Do not configure BPDU filter globally. If configured globally, the PortFast mode is disabled and all physical switch ports perform full STP functions.
Some customers may experience more than one of the issues described in the use cases while running in their virtual infrastructure. These customers can support various use cases by creating different port group configurations for each use case. Customers can define the security specific configuration such as Forged Transmit as Reject or Accept per port group. Depending on the physical switch port configuration requirements, customers can assign the same or different physical NICs to these port groups.
For example, if customers have default use cases 1 and 2 in their environment, they can create two different port groups and configure the Forged Transmit Reject on one port group and Forged Transmit Accept on another. Due to the separate configuration required on the physical switch port side, customers have to associate different physical NICs with the different port groups in this deployment.
Additional Information
For information on BDPU filters, see vSphere 5.1 – VDS New Features – BPDU Filter
For more information on STP, see Understanding and Configuring Spanning Tree Protocol (STP) on Catalyst Switches
Note: The preceding link was correct as of Sep 11, 2015. If you find the link is broken, provide a feedback and a VMware employee will update the link.
Note: The preceding link was correct as of Sep 11, 2015. If you find the link is broken, provide a feedback and a VMware employee will update the link.
Impact/Risks:
Caution: Be aware of the following risks stemming from the described configuration changes:
- Forged Transmit Accept setting to help the deployment of VPN use case opens a security hole where the compromised virtual machine can perform spoofing attacks.
- BPDU Filter configuration on an individual switch port interface causes filtering of BPDU frames and thus, stops loop detection across the network. The cases where there are loops created in the virtual infrastructure when a virtual machine with two vnics are connected to the same layer, two networks are detected through the BPDU filter setting.
Feedback
Yes
No
Powered by
