After upgrading to NSX-v 6.4.0, you see the error: "Possible DHCP DOS attack seen on the host. Please refer to NSX Manager and VM Kernel logs for details."
Article ID: 321084
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
after upgrading to NSX-v 6.4.0, you see these symptoms:
after upgrading to NSX-v 6.4.0, you see these symptoms:
- You see the error:
"Possible DHCP DOS attack seen on the host. Please refer to NSX Manager and VM Kernel logs for details."
- In the /var/log/vsm.log file of the NSX Manager, you see entries similar to:
2018-04-09 08:29:27.877 CDT INFO SimpleAsyncTaskExecutor-1 HostEventsResponseHandler:206 - - [nsxv@6876 comp="nsx-manager" subcomp="manager"] Host event occurred {eventname: DHCP_STARV, eventType: swsec, eventdescription: Possible DHCP Dos Attack!,eventdata null, eventTtl null, at host: host-141153, at dvPortId 1568, sourceMac 00:50:56:ae:1d:1c1568, occurence 11, at time null}
- In the /var/log/vmkernel.log file of the affected ESXi host, you see entries similar to:
2018-02-27T04:39:04.957Z cpu21:1579031)WARNING: dvfilter-switch-security.throt: SwSecDhcpSnoopTx:600: nic-1579030-eth0-dvfilter-generic-vmware-swsec.1: Possible DHCP DosAttack on port 50331691(123) 1 times from Mac : 00:50:56:94:0f:69
2018-02-27T04:42:00.312Z cpu21:1579031)WARNING: dvfilter-switch-security.throt: SwSecDhcpSnoopTx:600: nic-1579030-eth0-dvfilter-generic-vmware-swsec.1: Possible DHCP DosAttack on port 50331691(123) 1 times from Mac : 00:50:56:94:0f:69
2018-02-27T04:42:03.314Z cpu13:687425)WARNING: nsx-dvfilter-switch-security: SwSecDhcpParse:255: nic-1579030-eth0-dvfilter-generic-vmware-swsec.1: No lease time option in DHCPACK
2018-02-27T04:42:03.314Z cpu13:687425)WARNING: nsx-dvfilter-switch-security: SwSecDhcpParse:255: nic-1579030-eth0-dvfilter-generic-vmware-swsec.1: No lease time option in DHCPACK
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware NSX for vSphere 6.4.x
Cause
This issue occurs because a new DHCP DoS related security feature was introduced in NSX-v 6.4.0, that may report false positives.
Resolution
This is a known issue affecting VMware NSX for vSphere 6.4.x.
Currently, there is no resolution.
Workaround:
To work around this issue, disable these warning messages. You can disable these warning messages either through an API call or through the NSX Manager Central Command Line Interface.
Notes:
Currently, there is no resolution.
Workaround:
To work around this issue, disable these warning messages. You can disable these warning messages either through an API call or through the NSX Manager Central Command Line Interface.
Notes:
- This command only disables the DoS attack alerts. No other functionality will be disabled.
- You will no longer see the alerts on the dashboard and vsm.log file, although the vmkernel.log file will still log the alerts.
- To get the current status of the host notifications:
GET https://<NSXMGR_IP>/api/2.0/hostevents
- To disable host notifications:
POST https://<NSXMGR_IP>/api/2.0/hostevents
Body:
<hostEventsDto>
<enabled>false</enabled>
</hostEventsDto>
- To get the current status:
CLI: get host event notification status
- To enable/disable host notifications:
CLI: set host event notification enable/disable
Additional Information
It is possible to track down a Guest VM DVPortID, from the CLI of an ESXi host that is being reported as impacted, using this command:
net-swsec --host-notifications -o getVMs
Example 1:
[root@vm:~] net-swsec --host-notifications -o getVMs
Affected DVPortIDs :
74
Track down the Guest VM connected to DVPortID 74, and determine if the DHCP DoS alert is valid.
Example 2:
[root@vm:~] net-swsec --host-notifications -o getVMs
Affected DVPortIDs :
No VMs under attack.
There are currently no Guest VMs on this ESXi host being reported as under a DHCP DoS attack.
Impact/Risks:
These are warning messages only, and have no operational impact on the your environment.
Collect a list of ESXi hosts and MAC addresses that are being reported, and confirm that they are valid Guest VM MACs or valid MACs allocated to an NSX Edge Services Gateway NIC.
net-swsec --host-notifications -o getVMs
Example 1:
[root@vm:~] net-swsec --host-notifications -o getVMs
Affected DVPortIDs :
74
Track down the Guest VM connected to DVPortID 74, and determine if the DHCP DoS alert is valid.
Example 2:
[root@vm:~] net-swsec --host-notifications -o getVMs
Affected DVPortIDs :
No VMs under attack.
There are currently no Guest VMs on this ESXi host being reported as under a DHCP DoS attack.
Impact/Risks:
These are warning messages only, and have no operational impact on the your environment.
Collect a list of ESXi hosts and MAC addresses that are being reported, and confirm that they are valid Guest VM MACs or valid MACs allocated to an NSX Edge Services Gateway NIC.
Feedback
Yes
No
Powered by
