VMware Networking Community
Finikiez
Champion
Champion
Jump to solution

NSX 6.4 \ Possible DHCP DOS attack seen on the host

Hi everybody,

I have NSX 6.4 with several vxlans and software router between them (not an ESX Edge) without a rout to external network.

Since I've migrated everything from NSX 6.3 to NSX 6.4 I've got  Warnings with the following text

"Possible DHCP DOS attack seen on the host. Please refer to NSX Manager and VM Kernel logs for details."

In NSX Manager's System Events I see messages like

Event DHCP_STARV occurred 2400 times on host <hostname>

vmkernel log referes to MAC address of software router

2018-04-06T15:19:03.404Z cpu4:1167695)WARNING: dvfilter-switch-security.throt: SwSecDhcpSnoopTx:600: nic-1167694-eth2-dvfilter-generic-vmware-swsec.1: Possible DHCP DosAttack on port 50331681(13724) 1 times from Mac :

I couldn't find anything related to this new feature of NSX.

Is this somethig I should worry? Or this are false alarms?

Reply
0 Kudos
1 Solution

Accepted Solutions
Finikiez
Champion
Champion
Jump to solution

Since the time I posted this topic KB has been published VMware Knowledge Base

This is a known issue affecting VMware NSX for vSphere 6.4.x.

Currently, there is no resolution.

View solution in original post

Reply
0 Kudos
9 Replies
Sreec
VMware Employee
VMware Employee
Jump to solution

Those alarms looks to be genuine one since the NSX dashboard provides visibility to the overall health of NSX components and i believe you are receiving the alerts from NSX dashboards ? Mostly hardware address of the DHCP client is spoofed.Using the NSX Dashboard 

I understand you don't have any external route , what is purpose of software router ?   Are you leveraging DHCP services ?

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 6x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Reply
0 Kudos
Finikiez
Champion
Champion
Jump to solution

Shure, there is a new section in Dashboard called 'Host Notifications' and there is 'DHCP Starvation' string.

As well this produces Alarms in web client.

Purpose of the router is to make a lab with simulation of Cisco devices. I didn't deploy this virtual router. However I suppose that it has DHCP server role as well.

So my goal is to understand what NSX tries to tell me?

Who is under attack from NSX perspective?

Reply
0 Kudos
Sreec
VMware Employee
VMware Employee
Jump to solution

From the screenshots VM which is connected to DVS port -50331681(13724) is certainly under attack  and you confirmed that it is the software router . Can you explore any firewall in that router and ensure appropriate rules are in place and block rest of the traffic ?

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 6x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Reply
0 Kudos
Finikiez
Champion
Champion
Jump to solution

Actually this is software router which attacks VM on port 50331681(13724).

His MAC is mentioned in the error in vmkernel.log

However how can I figure out what VM is connected to port  50331681(13724) ?

Thanks.

Reply
0 Kudos
Finikiez
Champion
Champion
Jump to solution

ok, I see that 13724 is DV port id. And this is the port where software routert with mentioned in error MAC addess is connected.

Now I'm totaly confused and don't understand who is under attack.

Reply
0 Kudos
Finikiez
Champion
Champion
Jump to solution

Since the time I posted this topic KB has been published VMware Knowledge Base

This is a known issue affecting VMware NSX for vSphere 6.4.x.

Currently, there is no resolution.

Reply
0 Kudos
wreedMH
Hot Shot
Hot Shot
Jump to solution

Still happens in 6.4.4 Smiley Sad

Reply
0 Kudos
wreedMH
Hot Shot
Hot Shot
Jump to solution

When will this be fixed?

Reply
0 Kudos
Finikiez
Champion
Champion
Jump to solution

No idea, I disabled this warning as mententioned in KB

Reply
0 Kudos