VMware ESXi – Use SSH to Determine Source of DoS Attack


My VMWare ESXi 4 server appears to be under a Denial of Service attack. I am getting massive packet loss to the server (60+%) and am barely able to load any services on the VMs running on the host.

I have Cacti installed but cannot load it due to the attack. I can SSH in to the VMware host. Are there any commends I can run to either determine where the attack is coming from, or block all IP addresses except mine so that I can load Cacti again to troubleshoot?

I tried esxcli network firewall get but received: Unknown Object firewall in namespace network

All the VMs with network access are directly connected to the internet, that is, there is a virtual switch between the internet-facing VMs and the router.

EDIT: MDMarra had a great idea: disable the vswitch that the VMs are on. But I can't get the vSphere console to respond long enough to do this. Can this be done through SSH?

Best Answer

I would say first and foremost would be to call your datacenter and see if they can block the offending IP with their equipment. Hopefully their hardware has the bandwidth to handle something like that, which will then at least allow yours to start functioning like normal.

Related Topic