Malicious virtual machine alert generator

What is claimed is: 1 . A method to generate an alert, the method comprising, by a device: detecting an execution of a virtual machine in a data center; analyzing traffic data at a port in the data center, wherein the traffic data is associated with a communication from the virtual machine to a destination address through the port; comparing the destination address with a data center address of the data center; and generating the alert based on the comparison. 2 . The method of claim 1 , further comprising: signing, by the device, the alert; and sending the alert to the destination address. 3 . The method of claim 1 , further comprising: receiving an instruction from the destination address to restrict the execution of the virtual machine; and restricting the execution of the virtual machine. 4 . The method of claim 1 , wherein generating the alert includes: identifying binding data associated with the virtual machine, wherein the binding data is effective to indicate a binding between the virtual machine and the port, and the binding data includes an identification of the virtual machine; and generating the alert to include the identification. 5 . The method of claim 1 , wherein when the comparison indicates a mismatch between the destination address and the data center address, the method further comprises, prior to generating the alert: determining a count associated with the mismatch; and comparing the count with a threshold, wherein generation of the alert is further based on the comparison of the count with the threshold. 6 . The method of claim 5 , prior to determining the count, the method further comprising: generating a signal in response to the mismatch; and sending the signal to a counter to increment the count. 7 . The method of claim 1 , wherein generating the alert is performed in response to a mismatch between the destination address and the data center address. 8 . The method of claim 1 , wherein the alert is an ICMP (Internet Control Message Protocol) message. 9 . The method of claim 1 , wherein the port is a first port, the traffic data is first traffic data, the communication is a first communication, the destination address is a first destination address, the method further comprising: prior to generating the alert, analyzing second traffic data at a second port in the data center, wherein the second traffic data is associated with a second communication from the virtual machine to a second destination address through the second port; comparing the second destination address with the data center address of the data center; determining a first count associated with a first mismatch between the first destination address and the data center address; determining a second count associated with a second mismatch between the second destination address and the data center address; determining a total count based on a combination of the first count and the second count; comparing the total count with a threshold, wherein generation of the alert is further based on the comparison of the total count with the threshold. 10 . A system effective to generate an alert in a data center, the system comprising: a memory configured to store a data center address of the data center; a port; a processor configured to be in communication with the memory and the port, the processor being configured to execute a virtual machine in the data center; a device configured to be in communication with the memory, the port, and the processor, the device being configured to: detect the execution of a virtual machine; analyze traffic data at the port, wherein the traffic data is associated with a communication from the virtual machine to a destination address through the port; compare the destination address with the data center address; and generate the alert based on the comparison. 11 . The system of claim 10 , wherein the device is further configured to: sign the alert; and send the alert to the destination address. 12 . The system of claim 10 , wherein the device is further configured to: receive an instruction from the destination address to restrict the execution of the virtual machine; and restrict the execution of the virtual machine. 13 . The system of claim 10 , wherein the memory is further configured to store binding data associated with the virtual machine, wherein the binding data is effective to indicate a binding between the virtual machine and the port, and the binding data includes an identification of the virtual machine, the device being further configured to: identify the binding data; and generate the alert to include the identification. 14 . The system of claim 10 , further comprising a counter configured to be in communication with the device, wherein the memory is further configured to store a threshold, and the device is further configured to: generate a signal in response to a mismatch indicated by the comparison between the destination address and the data center address; send the signal to the counter to increment a count associated with the mismatch; and compare the count with the threshold, wherein generation of the alert is further based on the comparison of the count with the threshold 15 . The system of claim 10 , wherein the alert is a ICMP (Internet Control Message Protocol) message. 16 . A device effective to generate an alert in a data center, the device comprising: a memory configured to store a threshold; a counter configured to store a count; a processor configured to be in communication with the memory and the counter, the processor being configured to: receive a data center address of the data center; detect an execution of a virtual machine in the data center; analyze traffic data at a port of the data center, wherein the traffic data is associated with a communication from the virtual machine to a destination address through the port; compare the destination address with the data center address; control the counter to increment the count based on the comparison of the destination address with the data center address; compare the count with the threshold; and generate the alert based on the comparison of the count with the threshold. 17 . The device of claim 16 , wherein the processor is further configured to: sign the alert; and send the alert to the destination address. 18 . The device of claim 16 , wherein the processor is further configured to: receive an instruction from the destination address to restrict the execution of the virtual machine; and restrict the execution of the virtual machine. 19 . The device of claim 16 , wherein the processor is further configured to: receive binding data associated with the virtual machine, wherein the binding data is effective to indicate a binding between the virtual machine and the port, and the binding data includes an identification of the virtual machine; and generate the alert to include the identification. 20 . The device of claim 16 , wherein the alert is a ICMP (Internet Control Message Protocol) message.