After upgrading to NSX-v 6.4.0, you see the error: "Possible DHCP DOS attack seen on the host. Please refer to NSX Manager and VM Kernel logs for details."
search cancel

After upgrading to NSX-v 6.4.0, you see the error: "Possible DHCP DOS attack seen on the host. Please refer to NSX Manager and VM Kernel logs for details."

book

Article ID: 321084

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
after upgrading to NSX-v 6.4.0, you see these symptoms:
  • You see the error:

    "Possible DHCP DOS attack seen on the host. Please refer to NSX Manager and VM Kernel logs for details."
     
  • In the /var/log/vsm.log file of the NSX Manager, you see entries similar to:

    2018-04-09 08:29:27.877 CDT  INFO SimpleAsyncTaskExecutor-1 HostEventsResponseHandler:206 - - [nsxv@6876 comp="nsx-manager" subcomp="manager"] Host event occurred {eventname: DHCP_STARV, eventType: swsec, eventdescription: Possible DHCP Dos Attack!,eventdata null, eventTtl null, at host: host-141153, at dvPortId 1568, sourceMac 00:50:56:ae:1d:1c1568, occurence 11, at time null}
     
  • In the /var/log/vmkernel.log file of the affected ESXi host, you see entries similar to:

    2018-02-27T04:39:04.957Z cpu21:1579031)WARNING: dvfilter-switch-security.throt: SwSecDhcpSnoopTx:600: nic-1579030-eth0-dvfilter-generic-vmware-swsec.1: Possible DHCP DosAttack on port 50331691(123) 1 times from Mac : 00:50:56:94:0f:69
    2018-02-27T04:42:00.312Z cpu21:1579031)WARNING: dvfilter-switch-security.throt: SwSecDhcpSnoopTx:600: nic-1579030-eth0-dvfilter-generic-vmware-swsec.1: Possible DHCP DosAttack on port 50331691(123) 1 times from Mac : 00:50:56:94:0f:69
    2018-02-27T04:42:03.314Z cpu13:687425)WARNING: nsx-dvfilter-switch-security: SwSecDhcpParse:255: nic-1579030-eth0-dvfilter-generic-vmware-swsec.1: No lease time option in DHCPACK
    2018-02-27T04:42:03.314Z cpu13:687425)WARNING: nsx-dvfilter-switch-security: SwSecDhcpParse:255: nic-1579030-eth0-dvfilter-generic-vmware-swsec.1: No lease time option in DHCPACK


    Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.


Environment

VMware NSX for vSphere 6.4.x

Cause

This issue occurs because a new DHCP DoS related security feature was introduced in NSX-v 6.4.0, that may report false positives.

Resolution

This is a known issue affecting VMware NSX for vSphere 6.4.x.

Currently, there is no resolution.

Workaround:
To work around this issue, disable these warning messages. You can disable these warning messages either through an API call or through the NSX Manager Central Command Line Interface.

Notes:
  • This command only disables the DoS attack alerts. No other functionality will be disabled.
  • You will no longer see the alerts on the dashboard and vsm.log file, although the vmkernel.log file will still log the alerts.
Through the API call
  1. To get the current status of the host notifications:
           
    GET https://<NSXMGR_IP>/api/2.0/hostevents
     
  2. To disable host notifications:

    POST https://<NSXMGR_IP>/api/2.0/hostevents

    Body:
    <hostEventsDto>
    <enabled>false</enabled>
    </hostEventsDto>
Through the NSX Manager Central Command Line Interface
  1. To get the current status:

    CLI: get host event notification status
     
  2. To enable/disable host notifications:

    CLI: set host event notification enable/disable


Additional Information

It is possible to track down a Guest VM DVPortID, from the CLI of an ESXi host that is being reported as impacted, using this command:

net-swsec --host-notifications -o getVMs

Example 1:

[root@vm:~] net-swsec --host-notifications -o getVMs
Affected DVPortIDs :
74

Track down the Guest VM connected to DVPortID 74, and determine if the DHCP DoS alert is valid.

Example 2:

[root@vm:~] net-swsec --host-notifications -o getVMs

Affected DVPortIDs :
No VMs under attack.


There are currently no Guest VMs on this ESXi host being reported as under a DHCP DoS attack.


Impact/Risks:
These are warning messages only, and have no operational impact on the your environment.

Collect a list of ESXi hosts and MAC addresses that are being reported, and confirm that they are valid Guest VM MACs or valid MACs allocated to an NSX Edge Services Gateway NIC.