上QQ阅读APP看书,第一时间看更新
Harden a virtual machine against DoS attacks
One or more VMs may consume too many resources on a single host, causing a possible DoS scenario. To minimize this possibility, a proper configuration of the VM resource management is needed; also, remember that each VM has implicit limits, due to resources configured in the VM settings.
Other possible DoS situations are as follows:
- Virtual disk shrinking: Shrinking a virtual disk reclaims the disk's unused space. This operation can be performed by a non-administrative user in the guest operating system, and multiple operations can cause a DoS on the virtual disk. To disable the ability to shrink virtual disks, you must use two VM advanced settings, isolation.tools.diskWiper.disable and isolation.tools.diskShrink.disable, as described in KB 1002019 (https://kb.vmware.com/s/article/1002019)—Growing, thinning, and shrinking virtual disks for VMware ESX and ESXi.
This operation is not supported in ESXi, but it is supported in Workstation/Player/Fusion.
- Informational messages from VM to VMX files: A DoS can happen if you do not control the size of a VMs VMX file, and the amount of information in it exceeds the data store capacity. By default, the file limit is 1 MB, and you can change it with the tools.setInfo.sizeLimit VM advanced option. For more information, see the vSphere 6.5 Security Guide (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-9610FE65-3A78-4982-8C28-5B34FEB264B6.html).
- Unnecessary hardware devices: Any connected device represents a potential attack channel. As described previously, it's a good practice to remove or disable all unneeded or unused devices. Note that, by default, users and processes with local privileges on a guest OS can connect or disconnect some hot-plug hardware devices (such as the virtual NIC).