VMware Networking Community
benjamin000
Enthusiast
Enthusiast
‎06-03-2017 11:03 PM
Jump to solution

Enabling SYN Flood Protection NSX

I have another post but this is a little different. We are having issues with outbound DDoS more specifically SYN Flood  from our customer VM's. Will enabling SYN Flood Protection in NSX prevent outbound traffic from carrying  out these attacks and if not if there something we can do to prevent customers from doing this ? We have already limited the port to 100Mbps but we are still getting alerted from our datacenter when these attacks reach only 50 Mbps. We warning customers not to do this but as we have hundreds of customers one does it and we are warned by OVH that we could have our servers terminated.....OVH sucks mind you or more specifically their support staff but the hardware is great.

Any help to prevent these attacks outbound would be helpful.

Regards Ben McGuire
Tags (1)
0 Kudos
1 Solution

Accepted Solutions
Sreec
VMware Employee
VMware Employee
‎09-04-2017 06:04 AM
Jump to solution

Hello Ben Smiley Happy

                        API call is simple

1. Create a authentication header ( with NSX credentials)

2.Create a custom header with Content-Type as Application/xml . Output would be like below in rest api page

pastedImage_1.png

3. Fetch the current edge firewall config using Get call

https://nsxip/api/4.0/edges/edge-id/firewall/config(You can get the edge-id from NSX GUI or by doing a Get Operation on  https://nsxip/api/4.0/edges/

4. In the Get operation output you will see below entry

<enableSynFloodProtection>false</enableSynFloodProtection>

5. Copy the entire config of previous get operation and edit the line of <enableSynFloodProtection>false</enableSynFloodProtection> to <enableSynFloodProtection>true</enableSynFloodProtection> and paste it in body

6. Do a PUT call to same URL https://nsxip/api/4.0/edges/edge-id/firewall/config

7. Once again do a GET call to same URL to confirm the change

Note: If you are really concerned about the steps- you can test it on a dummy edge with the same steps.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered

View solution in original post

0 Kudos
8 Replies
Sreec
VMware Employee
VMware Employee
‎06-04-2017 11:18 AM
Jump to solution

I'm not really sure about OVH-NSX integration -to be more specific what NSX features are exposed what are not -

Going via NSX options - DFW and Edge firewall are two options what i can think about .

For DFW what the doc says is - In-order to protect your network from ACK or SYN floods, you can set Service to TCP-all_ports or UDP-all_ports and set Action to Block for the default rule

However for NSX edge we need to update SYN flood via API call.  Both of these options are updated in the NSX document - So worth exploring if that would help for this scenario.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
0 Kudos
benjamin000
Enthusiast
Enthusiast
‎06-04-2017 01:06 PM
Jump to solution

Hello

It is not so much as the OVH-NSX integration as it is jsut that OVH is giving me grief about outbound DoS traffic.

Yes I have been exploring the SYN Flood protection with NSX that needs to be turned on via the API as it is off by default but not sure if that works both inbound and outbound.

Guess there is only one way to try though Smiley Happy

I just thought someone would know of a third party NSX security platform that could work but being as powerful as NSX is I just hoped there was something there already. Ill let you know once I try about the SYNflood protection within NSX.

Regards Ben McGuire
0 Kudos
benjamin000
Enthusiast
Enthusiast
‎06-05-2017 03:08 PM
Jump to solution

Hello Again

I am just trying to enable this now but have a couple of questions.

AS we are running VIO which edge do I need to enable it on as VIO creates about 10 backup edges as well as other machines . AS I do not want the information public I have sent you a screenshot of the edges I am talking about.

I have the NSX API guide which I am going by so I am using this command

PUT https:// NSX-Manager-IP-Address /api/4.0/edges/ edgeId /firewall/config/enableSynFloodProtection=True

Is this correct ?

Lastly just so we are clear OVH does have nothing to do with this as we have our own NSX install on multiple dedicated servers and are NOT using the NSX service that OVH offers. I just wanted to make that clear so there is no confusion.

Regards Ben McGuire
0 Kudos
benjamin000
Enthusiast
Enthusiast
‎06-05-2017 03:12 PM
Jump to solution

Also I am not sure what you mean by : ACK or SYN floods, you can set Service to TCP-all_ports or UDP-all_ports and set Action to Block for the default rule

If this rule is implemented then all traffic will be blocked. Currently as they are as these are VM that others manage we allow all ports opened so I am a little confused about implementing a rule that would block syn flood traffic.

Regards Ben McGuire
0 Kudos
Sreec
VMware Employee
VMware Employee
‎06-06-2017 12:18 AM
Jump to solution

Firewall rule works from top to bottom. So whatever ports/protocols are required you need to define them accordingly and make use of API for this change.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
0 Kudos
benjamin000
Enthusiast
Enthusiast
‎09-04-2017 03:59 AM
Jump to solution

Hello

can you please elaborate on the issue above as I would reallylike to enable the syn flood protection but from what I read all that is required is for it to be enabled via the NSX API but I am a little concerned about attempting this as I could really mess things up if not done correctly.

Regards Ben McGuire
0 Kudos
Sreec
VMware Employee
VMware Employee
‎09-04-2017 06:04 AM
Jump to solution

Hello Ben Smiley Happy

                        API call is simple

1. Create a authentication header ( with NSX credentials)

2.Create a custom header with Content-Type as Application/xml . Output would be like below in rest api page

pastedImage_1.png

3. Fetch the current edge firewall config using Get call

https://nsxip/api/4.0/edges/edge-id/firewall/config(You can get the edge-id from NSX GUI or by doing a Get Operation on  https://nsxip/api/4.0/edges/

4. In the Get operation output you will see below entry

<enableSynFloodProtection>false</enableSynFloodProtection>

5. Copy the entire config of previous get operation and edit the line of <enableSynFloodProtection>false</enableSynFloodProtection> to <enableSynFloodProtection>true</enableSynFloodProtection> and paste it in body

6. Do a PUT call to same URL https://nsxip/api/4.0/edges/edge-id/firewall/config

7. Once again do a GET call to same URL to confirm the change

Note: If you are really concerned about the steps- you can test it on a dummy edge with the same steps.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
0 Kudos
benjamin000
Enthusiast
Enthusiast
‎09-04-2017 07:05 PM
Jump to solution

Perfect. SYN Flood Protection is now enabled. Thank you for elaborating it made things so much easier!!!!

Regards Ben McGuire
0 Kudos