13 December, 2012

Protecting against Denial Of Service attacks with new VDS feature

One of the VMware Virtual Distributed Switch enhancements is the BPDU-Filter. BPDU stands for Bridge Protocol Data Unit, these packets are exchanged between physical switches as part of the Spanning Tree Protocol. STP is used to prevent network loops and is used on physical switches.
A physical switch determent's on BPDU exchange if a specific port should be in a forwarding- or blocking state.
VMware's virtual switches do not support STP and therefore doesn't exchange BPDU packets, the VDS will simply drop the packet.
A best practice for VMware host facing ports is to enable portfast and BPDU guard. With this best practice the following scenario could cause to a complete uplink to fail. If a VM is compromised in some way and this VM starts to generate BPDU packets it will travel to the physical switch and this will block the port as a result of the BPDU guard settings it has.
The result is a uplink down and the vSphere host will try to move the VM to a other uplink which will result in a other uplink down and in worst case scenario it could cause a cluster wide fail.
The BPDU-Filter feature will make the VDS (VSS as well) drop the BPDU-packet coming from the VM.

For more details and how to configure it please visit the VMware blog

No comments:

Post a Comment