VM BPDU spoofing attack works quite nicely in HA clusters
When I wrote the Virtual switches need BPDU guard blog post, I speculated that you could shut down a whole HA cluster with a single BPDU-generating VM ... and got a nice confirmation during the Troopers 13 conference – ERNW specialists successfully demonstrated the attack while testing the security aspects of a public cloud implementation for a major service provider.
For more information, read their blog post (they also have a nice presentation explaining how a VM can read ESXi hard drive with properly constructed VMDK file).
This happend to me...!!
We run a Nexus network with FEX and on Cisco FEX you can not disable BPDU guard and BPDU filter is not an option.
So one of the server guys started up a Citrix Netscaler and enabled spanning-tree and this took down one host at a time.
So cluster = dead!
Thank god you now have the option to enable BPDU guard on vSphear 5.0
Nexus 1000V is no better (apart from the fact the BPDU filter is enabled by default ;).
In both cases, you're preemptively killing canaries:
I just want a "REAL" software switch.
Do you have any idea why they made the FEX the way they did? No spanning-tree support :(
It is best practice to enable "Bridge BPDU" mode NetScaler when operating the NetScaler in Layer 2 mode in order to avoid accidental forwarding loops.
Also, with Layer 2 mode enabled on NetScaler, it is entirely possible to configure topologies that will result in forwarding loops that STP cannot resolve.
In both modes of operation, L2 and L3, a NetScaler generally drops packets that are in:
w Multicast frames
w Unknown protocol frames destined for a NetScaler's MAC address (non-IP and non-ARP)
w Spanning Tree protocol (unless BridgeBPDUs is ON)
thanks for the reference. Just a short note on the VMDK file stuff. There's a much more comprehensive write-up here: https://www.ernw.de/download/ERNW_Newsletter_41_ExploitingVirtualFileFormats_signed.pdf.