Ikfes
commented
4 months ago @jslocinski Can you move this under: Anti-DDoS Infrastructure
Currently its showing under: No Main Product
Open guno1928 opened 4 months ago
Ikfes
commented
4 months ago @jslocinski Can you move this under: Anti-DDoS Infrastructure
Currently its showing under: No Main Product
Ikfes
commented
4 months ago @jslocinski Suggestion about how to implement:
Boolean toggle button (On/Off [Default]): Restrict connections from other OVHCloud services. Optional: Connection whitelist: Either IP/subnet/CIDR or choosing your owned services similar to how dedicated server's FTPBackup whitelisting works. Former if you guys wish to allow any OVHCloud range to be whitelisted, (i.e: friends server), latter if you want to copy paste FTPBackup whitelisting functionality and encourage/force users to purchase services in order to select them for whitelisting.
Technically this button could either fully restrict traffic internally, or work as alert for automatic outgoing DDoS traffic detection system. If its toggled on and enabled, the abuse system would know that my IP does not expect such traffic, and tip off the internal source to the abuse system.
OpenSource03
commented
3 months ago Any suggestions on how to fix it meanwhile?
guno1928
commented
3 months ago Any suggestions on how to fix it meanwhile?
You can ofc block it to the application layer but that's about it. The raw traffic intended to clog your port does not get mitigated by ovh. and I have started to notice that certain hosts aswell also have a reputation for being good to ddos ovh servers which also cost $5
OpenSource03
commented
3 months ago Another thing to mention here is that not only can someone buy servers from OVH or their resellers to bypass the protection, but there is also IP spoofing attack which sends OVH ips as packet headers, thus spoofing the real IP so as OVH believes it's part of their network, it passes all TCP traffic without any filtering.
guno1928
commented
3 months ago Another thing to mention here is that not only can someone buy servers from OVH or their resellers to bypass the protection, but there is also IP spoofing attack which sends OVH ips as packet headers, thus spoofing the real IP so as OVH believes it's part of their network, it passes all TCP traffic without any filtering.
Ip spoofing to the ovh ip does not actually work the same as using a actual ovhcloud server. For example if I block icmp on the pre firewall they can still send icmp packets to my server. When using a ovhcloud server to dos another it completely ignores the pre firewalls and any firewall ovh has in place. If you were to try spoof and do this it would not work
OpenSource03
commented
3 months ago Another thing to mention here is that not only can someone buy servers from OVH or their resellers to bypass the protection, but there is also IP spoofing attack which sends OVH ips as packet headers, thus spoofing the real IP so as OVH believes it's part of their network, it passes all TCP traffic without any filtering.
Ip spoofing to the ovh ip does not actually work the same as using a actual ovhcloud server. For example if I block icmp on the pre firewall they can still send icmp packets to my server. When using a ovhcloud server to dos another it completely ignores the pre firewalls and any firewall ovh has in place. If you were to try spoof and do this it would not work
I have a guy who tested it, 100% of the attack passes completely with all random OVH ips around the world - and even exotic OVH ips like Africa that you would not see normally. He can also pass traffic to ports behind the firewall like it doesn't even exist (apparently only TCP).
jslocinski
commented
2 months ago There is an internal attack mitigation system which aims on eliminating abuses at a source for east-west traffic. It is independent from Anti-DDoS Infrastructure which is located at the edge/core of network and aims to protect as close to the origin, in north-south traffic. Eliminating abuses internally is at different complexity level (and different logic) than blocking inbound traffic. I will report that and see what actions can be taken here.
Second mentioned topic about OVH-spoofed IPs - I propose to create separate issue from this one and we will tackle it inside Anti-DDoS Infrastructure perimeter.
OpenSource03
commented
2 months ago There is an internal attack mitigation system which aims on eliminating abuses at a source for east-west traffic. It is independent from Anti-DDoS Infrastructure which is located at the edge/core of network and aims to protect as close to the origin, in north-south traffic. Eliminating abuses internally is at different complexity level (and different logic) than blocking inbound traffic. I will report that and see what actions can be taken here.
Second mentioned topic about OVH-spoofed IPs - I propose to create separate issue from this one and we will tackle it inside Anti-DDoS Infrastructure perimeter.
Created #182
Btw, when I told that to OVH support representatives, they kept telling me that I misconfigured the firewall (because I didn't allow ICMP and didn't enable TCP established as first rule as per guide), and when I configured it exactly like they wanted, they told me that I didn't turn it on (even though while under attack it turns on forcefully) - even though they could clearly see from PCAP that attack passed on firewall closed ports, where all IPs were random OVH ips :))))
Please, find a way to fix it. I would like to use your services, but it is not possible with these issues...
guno1928
commented
2 months ago There is an internal attack mitigation system which aims on eliminating abuses at a source for east-west traffic. It is independent from Anti-DDoS Infrastructure which is located at the edge/core of network and aims to protect as close to the origin, in north-south traffic. Eliminating abuses internally is at different complexity level (and different logic) than blocking inbound traffic. I will report that and see what actions can be taken here. Second mentioned topic about OVH-spoofed IPs - I propose to create separate issue from this one and we will tackle it inside Anti-DDoS Infrastructure perimeter.
Created #182
Btw, when I told that to OVH support representatives, they kept telling me that I misconfigured the firewall (because I didn't allow ICMP and didn't enable TCP established as first rule as per guide), and when I configured it exactly like they wanted, they told me that I didn't turn it on (even though while under attack it turns on forcefully) - even though they could clearly see from PCAP that attack passed on firewall closed ports, where all IPs were random OVH ips :))))
Please, find a way to fix it. I would like to use your services, but it is not possible with these issues...
yes i have this problem as well they just pin the blame on the client, im currently having issues where 9 gigs of tcp psh ack is coming into my dedi and when i showed them a pcap they said i misconfigured my firewall
guno1928
commented
2 months ago There is an internal attack mitigation system which aims on eliminating abuses at a source for east-west traffic. It is independent from Anti-DDoS Infrastructure which is located at the edge/core of network and aims to protect as close to the origin, in north-south traffic. Eliminating abuses internally is at different complexity level (and different logic) than blocking inbound traffic. I will report that and see what actions can be taken here.
Second mentioned topic about OVH-spoofed IPs - I propose to create separate issue from this one and we will tackle it inside Anti-DDoS Infrastructure perimeter.
OVH game servers actually stop internal attacks really well, of course they still leak in but not as much as the normal dedis do
when will ovh internal ddos attacks be fixed ? its way to easy to buy ovh servers from resellers for $5 and use them to attack other ovh bypassing the pre firewall and any mitigation and clogging the port leading to unstable network