VMware vSphere

hi all,

my vmware server have 8 host and every host have one vswitch which limit at 100M.

right now, one of host got DDOS, but the network still up to 800M usage.

is there any way to set ,even one got DDOS,it won't affect whole vmware

A DDoS attack is an attack on your whole netwroking infrastructure and even if your VM is limited, the requests will be throtteling your whole network bandwith. To be able to separate this you need to cooperate with your internet supplier.

As long as the attacked VM has an active IP address on your router interface you will receive all packets for it. The whole point of the DDoS attacks is to overflood you with requests, so attackers are not waiting for acknowledge either before they do a new request, so any action on the VM side is futile, and your only option here is to use your ISP or have a powerful firewall that can chew off the requests.

This also depends a little on the type of DDoS attacks

Some useful links:

http://www.networkworld.com/article/2170051/tech-primers/tech-primers-four-ways-to-defend-against-ddos-attacks.html

http://www.tomsguide.com/us/ddos-attack-definition,news-18079.html

I *think* your vswitch-speed does not help here. It will throttle down speed only on the last leg (between vswitch and VM) but not upstream (between your network and vswitch). So your 1gbit-nic is receiving incomming traffic close to its max, even if it can not pass it further to vSwitch.

Concerning defense, the best is to contact your upstream-provider, and ask him to put some filtering rules into effect, like shaping incomming-traffic for that particular host/IP. But it does not make sense to filter by IPs, they are spoofed anyway.

On your side, not much can be done. One thing that comes to my mind is to use multiple NICs effectively (if you have them), i.e. to connnect vSwitch with VM being ddos-ed to one physical NIC, and all other vSwitches (VMs) to different one.