VMware NSX

 View Only
  • 1.  Enabling SYN Flood Protection NSX

    Posted Jun 04, 2017 06:03 AM

    I have another post but this is a little different. We are having issues with outbound DDoS more specifically SYN Flood  from our customer VM's. Will enabling SYN Flood Protection in NSX prevent outbound traffic from carrying  out these attacks and if not if there something we can do to prevent customers from doing this ? We have already limited the port to 100Mbps but we are still getting alerted from our datacenter when these attacks reach only 50 Mbps. We warning customers not to do this but as we have hundreds of customers one does it and we are warned by OVH that we could have our servers terminated.....OVH sucks mind you or more specifically their support staff but the hardware is great.

    Any help to prevent these attacks outbound would be helpful.



  • 2.  RE: Enabling SYN Flood Protection NSX

    Broadcom Employee
    Posted Jun 04, 2017 06:19 PM

    I'm not really sure about OVH-NSX integration -to be more specific what NSX features are exposed what are not -

    Going via NSX options - DFW and Edge firewall are two options what i can think about .

    For DFW what the doc says is - In-order to protect your network from ACK or SYN floods, you can set Service to TCP-all_ports or UDP-all_ports and set Action to Block for the default rule

    However for NSX edge we need to update SYN flood via API call.  Both of these options are updated in the NSX document - So worth exploring if that would help for this scenario.



  • 3.  RE: Enabling SYN Flood Protection NSX

    Posted Jun 04, 2017 08:06 PM

    Hello

    It is not so much as the OVH-NSX integration as it is jsut that OVH is giving me grief about outbound DoS traffic.

    Yes I have been exploring the SYN Flood protection with NSX that needs to be turned on via the API as it is off by default but not sure if that works both inbound and outbound.

    Guess there is only one way to try though :smileyhappy:

    I just thought someone would know of a third party NSX security platform that could work but being as powerful as NSX is I just hoped there was something there already. Ill let you know once I try about the SYNflood protection within NSX.



  • 4.  RE: Enabling SYN Flood Protection NSX

    Posted Jun 05, 2017 10:09 PM

    Hello Again

    I am just trying to enable this now but have a couple of questions.

    AS we are running VIO which edge do I need to enable it on as VIO creates about 10 backup edges as well as other machines . AS I do not want the information public I have sent you a screenshot of the edges I am talking about.

    I have the NSX API guide which I am going by so I am using this command

    PUT https:// NSX-Manager-IP-Address /api/4.0/edges/ edgeId /firewall/config/enableSynFloodProtection=True

    Is this correct ?

    Lastly just so we are clear OVH does have nothing to do with this as we have our own NSX install on multiple dedicated servers and are NOT using the NSX service that OVH offers. I just wanted to make that clear so there is no confusion.



  • 5.  RE: Enabling SYN Flood Protection NSX

    Posted Jun 05, 2017 10:12 PM

    Also I am not sure what you mean by : ACK or SYN floods, you can set Service to TCP-all_ports or UDP-all_ports and set Action to Block for the default rule

    If this rule is implemented then all traffic will be blocked. Currently as they are as these are VM that others manage we allow all ports opened so I am a little confused about implementing a rule that would block syn flood traffic.



  • 6.  RE: Enabling SYN Flood Protection NSX

    Broadcom Employee
    Posted Jun 06, 2017 07:18 AM

    Firewall rule works from top to bottom. So whatever ports/protocols are required you need to define them accordingly and make use of API for this change.



  • 7.  RE: Enabling SYN Flood Protection NSX

    Posted Sep 04, 2017 11:00 AM

    Hello

    can you please elaborate on the issue above as I would reallylike to enable the syn flood protection but from what I read all that is required is for it to be enabled via the NSX API but I am a little concerned about attempting this as I could really mess things up if not done correctly.



  • 8.  RE: Enabling SYN Flood Protection NSX
    Best Answer

    Broadcom Employee
    Posted Sep 04, 2017 01:04 PM

    Hello Ben :smileyhappy:

                            API call is simple

    1. Create a authentication header ( with NSX credentials)

    2.Create a custom header with Content-Type as Application/xml . Output would be like below in rest api page

    3. Fetch the current edge firewall config using Get call

    https://nsxip/api/4.0/edges/edge-id/firewall/config(You can get the edge-id from NSX GUI or by doing a Get Operation on  https://nsxip/api/4.0/edges/

    4. In the Get operation output you will see below entry

    <enableSynFloodProtection>false</enableSynFloodProtection>

    5. Copy the entire config of previous get operation and edit the line of <enableSynFloodProtection>false</enableSynFloodProtection> to <enableSynFloodProtection>true</enableSynFloodProtection> and paste it in body

    6. Do a PUT call to same URL https://nsxip/api/4.0/edges/edge-id/firewall/config

    7. Once again do a GET call to same URL to confirm the change

    Note: If you are really concerned about the steps- you can test it on a dummy edge with the same steps.



  • 9.  RE: Enabling SYN Flood Protection NSX

    Posted Sep 05, 2017 02:06 AM

    Perfect. SYN Flood Protection is now enabled. Thank you for elaborating it made things so much easier!!!!