deep dive looking for evidence of MAC Flood attack

evil242 · ‎04-28-2016

I'm running NSX 6.2 on vSphere 6 U2. Using CLI on the controllers, manager, routers, anything and everything, to show any indication NSX notices a MAC Flood attack is happening.

A regular physical switch may notice that a MAC Flood is happening by reviewing the output from "show mac address-table dynamic", but I haven't found a similar command in the NSX CLI environment, except for perhaps

nsx-controller # show control-cluster logical-switches vni-stats 5001

update.member 4

update.vtep 41

update.mac 3

update.mac.invalidate 0

update.arp 147

update.arp.duplicate 0

query.mac 11

query.mac.miss 0

query.arp 2

query.arp.miss 2

or

nsx-controller # show control-cluster logical-routers vdr-stats 0x1388

host.reports.received 5

host.reports.dropped 0

edge.routes.received 18

edge.routes.dropped 0

bridge.reports.received 0

bridge.reports.dropped 0

bridge.macs.received 0

bridge.macs.dropped 0

route.queries.received 0

interface.queries.received 0

mac.queries.received 0

clear.routes.received 1

clear.macs.received 0

errdecode.messages.dropped 0

memfull.messages.dropped 0

errserver.messages.dropped 0

notifications.error 0

Any ideas?

Damion Terrell  .   +  (He/Him)  +  . *  .  +   @   + .    *  .    +      .                    
Core IT Service Specialist  *     .    +    *  .   +   .     +   .    +     *   +             
UNM – IT Platforms – VIS  + .  . .     .    .  .    .     .             .        
          .       +    .      +       *        .          +  *   .
      *     .  .      +      .        .   .   .      +   .    +     *   +        .
“You learn the job of the person above you,     *     +   .    +     *    @       
and you teach your job to the person below you..”              .    *         +

evil242 · ‎04-28-2016

ok, I found something, on the NSX Manager. But not some statement of MAC number of table entries.

nsxlabmgr.vsphere.local> show logical-router host <host-ID> dlr <edge-ID> interface <intf-ID> statistics

VDR default+edge-7 LIF 138800000002 Statistics :

RX Unicast Packets on the interface: 0

RX Unicast Bytes on the interface: 0

TX Unicast Packets on the interface: 0

RX Broadcast Packets on the interface: 0

RX Broadcast Bytes on the interface: 0

TX Broadcast Packets on the interface: 0

TX Broadcast Bytes on the interface: 0

RX Multicast Packets on the interface: 0

RX Multicast Bytes on the interface: 0

RX Packets System Error on interface: 0

TX Ref Errors on the interface: 0

Packets Deferred Free on the interface: 0

RX Packets Dropped on interface: 0

LIF Net Statistics (approx.):

IP & ARP packets RX: 26

IP & ARP packets TX: 345820 <- These numbers increase during MAC flood attack.

IP packets Forwarded to Lif: 345803

IP packets Consumed: 0

IP packets Fragmented: 0

IP packets Ignored: 0

ARP Request RX: 0

ARP Request TX: 11

ARP Response RX: 25

ARP Response TX: 0

ARP Request for Proxy RX: 0

ARP Request for Proxy My IP RX: 0

GARP RX: 1

GARP TX: 1

ARP Probes TX: 15

ICMP Echo Req RX: 0

ICMP Echo Rsp TX: 0

ICMP Time Exceeded TX: 0

TTL Zero Drops: 0

Bad Checksum Drops: 0

Arp HoldPkts Drops: 0

Packet Allocation Failure: 0

Route not found to Dest: 0

Neighbor not found: 10

But then I found

show logical-switch host host-10 vni 5001 statistics

..

mac.lookup.flood: 4

Damion Terrell  .   +  (He/Him)  +  . *  .  +   @   + .    *  .    +      .                    
Core IT Service Specialist  *     .    +    *  .   +   .     +   .    +     *   +             
UNM – IT Platforms – VIS  + .  . .     .    .  .    .     .             .        
          .       +    .      +       *        .          +  *   .
      *     .  .      +      .        .   .   .      +   .    +     *   +        .
“You learn the job of the person above you,     *     +   .    +     *    @       
and you teach your job to the person below you..”              .    *         +