Some protocols utilize broadcast to perform their functionalities. Examples of such protocols include the address resolution protocol (ARP) and dynamic host configuration protocol (DHCP). Broadcast traffic is sent to all hosts within a broadcast domain. Accordingly, a broadcast packet usually consumes much more resources than a unicast packet. Previous researches have pointed out that broadcast traffic causes issues like scalability and security. For example, in a network with about 2500 hosts, studies have shown that a host receives 1150 ARP request per second (581 kbps) at peak. The amount of broadcast traffic roughly increases linearly with the number of hosts. Thus, when the host number becomes large, the ARP traffic becomes prohibitively high.
Broadcast traffic can also be easily eavesdropped by any entity in the network. A protocol relying on broadcast traffic is vulnerable to attacks if its design does not consider security carefully. For example, ARP is a trusting protocol and was not designed to cope with malicious hosts. The lack of authentication mechanism makes it vulnerable to ARP poisoning/spoofing. An attacker can build fake ARP replies to compromise hosts' ARP cache, and then perform attacks such as man-in-the-middle, host impersonation, DoS, etc.
These issues also exist in virtual networks, such as virtual layer 2 networks based on VXLAN or NVGRE. These protocols use headers higher than layer 3 to encapsulate packets and can cross layer 3 boundaries, so a virtual network can be created across multiple subnets. A broadcast packet in such a virtual network needs to be sent to all nodes located in different subnets, using layer 3 multicast protocols (e.g., PIM) or unicasts to all hosts.
When the layer 3 multicast is used, the routers need to maintain the state of a multicast group for each virtual network. When the number of multicast groups is large (e.g. VXLAN supports 216 virtual networks), the routers' workload could be very high. A mitigating approach is to share a multicast group among multiple virtual networks, but this approach leads to receipts of unrelated packets and therefore causes performance decrement. Besides, many customers are reluctant to enable multicast in their physical network.
If the unicast approach is used, a host needs to send one copy of a broadcast packet to each host that the virtual network spans, or each VM in a virtual network. For a large virtual layer 2 network, this will consume a lot of resources, including computation resources at the source entity and bandwidth resources at the physical network.
Besides, both multicast and unicast approaches consume not only network resources within a subnet, but also routers among subnets. Therefore, compared with attacks on a physical layer 2 network, a successful DoS attack that floods ARP packets to a virtual layer 2 network can have a large impact.