We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

Protection from Spoofing attack


oles@ovh.net
02-27-2011, 07:56 AM
We have improved protection from attacks on
our network, in particular the spoofing attacks made with
our IPs which come from the Internet. This type of attack
is now blocked.

This will fix the problem of anti-hack that about 300 customers
have received since Friday night. All these servers are now
in normal operating condition.

Apologies for the problem.

Regards,

Octave

More:
http://status.ovh.net/?do=details&id...45e7e7ddf41980

-------------------------------------------------- ---------------

An IT client (a hacker) has ordered 15 servers. They used
some servers to launch attacks and scans. They were
placed in "anti hack" several times (rescue) to protect our
network and the other networks on the Internet.

Until then there is nothing new. This is usual.

One server 94.23.4.70 has been used to attack other
Hackers on the net. We received attacks on 94.23.4.70
As is custom we have put in place protections used by the
Teams 24/24 to block these attacks.

Still no new updates.

As the blocks were very efficient the attacking hackers 94.23.4.70 who were not satisfied with the result of their attacks, launched a spoofing attack from the Internet with OVH's IPs. It's a (nice) way to get through the safety features
and limitations of automatic traffic in case of attack. Because
if it initiated from an IP packet on the Internet (wherever) the "spoofing"
source 94.23.4.70 port 80, it will arrive on a OVH dedicated server's IP.
This server (which requested nothing) responded to 94.23.4.70
on port 80 "I did not request anything, cancel the connection." In
launching this massive spoof, it caused hackers to launch an
attack from the network to an OVH IP, 94.23.4.70:80 was the victim.
This 500Mbps attack was launched on Friday 25th around 8:00pm.

OVH analyses all traffic and detects internal network attacks at which point we
intervened to block the attacks. We have detected that
less than 300 servers at OVH launched an attack to 94.23.4.70
and we put them into rescue mode to protect the network.

This is one of those exceptional cases of a false positive
and so, tonight we will return all these servers to their normal state.

To avoid this flaw, we have additional protection
on incoming traffic to our network from the Internet.
We can no longer send packets from source IP's
This has been blocked and the problem is now fixed.

Apologies for the problems that this created.

In parallel, some information on all dedicated servers on
our network which are connected to our switches will have the same type of protection
i.e. they can not initiate traffic from the IP
that is allocated on the server (the switch port). On
each port of each switch there will be an access-list with the IP
which can send traffic. We can not use them to
spoof and let this kind of attack occur again on the OVH network or the Internet.