'MAC Spoofing' in Windows Server 2008 R2 Hyper-V

In physical NICs a MAC (Media Access Control) address is built-in, although it can usually be over-ridden. In a virtual machine environment, there’s no physical counterpart, so we’ve to “make up” own addresses. In Windows Server 2008, VMs are susceptible to “MAC spoofing” — “where a malicious machine pretends to be another machine on a network.” The virtual switch in […]

In physical NICs a MAC (Media Access Control) address is built-in, although it can usually be over-ridden. In a virtual machine environment, there’s no physical counterpart, so we’ve to “make up” own addresses. In Windows Server 2008, VMs are susceptible to “MAC spoofing” — “where a malicious machine pretends to be another machine on a network.”

The virtual switch in Hyper-V (download) is a learning layer 2 –  it routes packets based on MAC addresses. Therefore, if a malicious VM starts sending out packets with a MAC address owned by another machine, it causes the switch to re-learn. This in turn can cause DoS (Denial of Service) attacks, and the potential for the malicious virtual machine to see packets which weren’t destined for it. Hence, it’s recommended that you should consider placing virtual machines in Hyper-V 1 of a similar security integrity level on the same virtual switch and not share the switch with virtual machines of a different security integrity level. Windows Server 2008 R2, introduced several changes in the switch to make it smarter. Each virtual switch port has a new property (exposed in our WMI model as AllowMacSpoofing) which is off by default. We also expose this property in the settings page for a virtual machine. Note that to see this setting, you must be using the UI from Windows Server 2008 R2 or RSAT in Windows 7 Client (Download).

Full ArticleJohn Howard