We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

The attacks


oles@ovh.net
05-19-2011, 03:26 PM
http://status.ovh.net/?do=details&id=1449

Following an ongoing attack on an IP, we
fine tuning the rules and we decreased the burst
authorized during an attack from 10000 to 8000.
The attack's passed from 70Mbps to 10Mbps. It goes on
but no longer has any impact on the server.

#sh inter f0/15 | i 30 sec
30 second input rate 2822000 bits/sec, 303 packets/sec
30 second output rate 62419000 bits/sec, 121785 packets/sec
[...]
#sh inter f0/15 | i 30 sec
30 second input rate 5422000 bits/sec, 585 packets/sec
30 second output rate 10334000 bits/sec, 20076 packets/sec

Let us know if a tracing problems exists.

oles@ovh.net
05-18-2011, 09:36 AM
Hello,

Protections against attacks is giving us very
good results. We have had to intervene only once
for several days, while we usually
must manage multiple attacks per day.

An example of an attack that started yesterday and 22H
and which continues: 4Gbps UDP to an IP at OVH.
[url] http://demo.ovh.net/fr/ba3c2a2c8e7d35f18e9c6dcf88ab240d/ [/ url]

Our protections filter this attack and the only
evidence that there is an ongoing attack is this graph.
Which is not bad

We have had other attacks on
shared hosting at this time. The infrastructure did not
hold out and there were 2 crashes in about two days.
We temporarily withdrew AX
production (the traffic passing by the lowest stage
done with the ACE). Then we improved
these settings to avoid crashes.

In short, the attacks is part of the daily life of a
hoster and it is part of the business. It's not
a war we are going to win. We just
repel the attacks without the customers being
impacted. That's the challenge ...

Thank you for your feedback if you see
fewer attacks, fewer problems, fewer "weird" things
that no longer happen, or if it's the same
and nothing has changed, or if it is the worst and totally catastrophic,
an outrage and they want the skin of OVH? Thank you in
advance for the feedback!

Regards,
Octave.

oles@ovh.net
05-13-2011, 07:56 AM
Hello,

Following the introduction of the protections against attacks
on the UDP layer, after 24h we haven't had to intervene
to protect the infrastructure. We received a tenth of the
usual attacks that did not have any affect on our
customers.

We can estimate that the settings are correct
and sufficient. Done fast, done well.

Yes! Let's hope it lasts.

The summary:

-We've set up protection on the entrance of
our network: we limit UDP traffic to 50Mbps by
IP source. i.e. a specific IP on the Internet
can not send to the OVH network more than 50Mbps
UDP.

-We have put in place protection on the data center
routers: we limit UDP traffic to 50Mbps to
IP destination. i.e. a specific IP at OVH
can not get more than 50Mbps UDP traffic from the Internet.

The summary of protections already in place (for the past 1-2 years):
- We have a restriction by IP source to 32Kbps
towards OVH on ICMP layer and TCP/SYN (with some exceptions).

The VPS and mC have the following protections:
- 100Mbps per IP over TCP
- 5Mbps per IP over UDP
- 32Kbps per IP over ICMP

There are no other limitations and we don't foresee
any more new ones.

We had a good welcome for putting in place these
protections. One client was not happy and we've received
plenty of feedback with a "uufff". I think these
protections create a good added value to our offers
because they strengthen the security services that
we offer to our customers. Whether it's a game server,
a website or a DSL connection, to receive a competitor's
DoS attack is very unpleasant. At OVH, you're
now protected against the mood of your competitors.

Regards
Octave

oles@ovh.net
05-12-2011, 02:12 PM
http://status.ovh.ie/?do=details&id=1449

we have activated the protections in the datacentres:

vrack: done
HG 2010/2011: already done
pCC: done

oles@ovh.net
05-12-2011, 11:02 AM
Hello,

At the gateway to the backbone, we have just changed the
configuration. We are removing the filter on the whole
IP layer and we will only keep the UDP.

Thus, any IP on the Internet is now limited to 50Mbps UDP
across the entire OVH network.

If you have problems, do let us know.
This is important to us and we will endeavor to refine this in anyway possible.
It's always the same email as usual if it's a matter of life or death oles@ovh.net

Early this afternoon, we'll continue to refine
this process to reach the final 3 new rules:

-limitation on UDP of source IP to OVH
currently limited to 50Mbps and we will try
to go down to 20Mbps by around 14:00

-limitation on UDP of destination IP to OVH
currently implemented on the HG network
to 50Mbps. We do not yet know whether it's useful and
whether to configure it on all routers

-limitation on UDP of OVH source IP to the Internet
is not yet in place. The goal is to prevent an
OVH server sending an attack towards the Internet.

Regards
Octave

oles@ovh.net
05-12-2011, 12:06 AM
Good evening,

Considering the amount of attacks that we
are receive every day, we decided to
get out our battle axe. We cannot allow this anymore.
Today alone, there are more than 30 attacks
and they've impacted on of our clients networks for our resulting in
temporary degradation of the service.

So:

A source IP (the Internet) cannot send
more than 50Mbps across the OVH network on the
IP layer. Ultimately, we will apply it only to the
UDP layer.

We've also added a limitation to the
HG network to the destination IP on UDP
from all the IPs to 50Mbps.

If you have problems please send an email
to oles@ovh.net or noc@ovh.net

More:
http://status.ovh.net/?do=details&id=1449

Regards
Octave