search

ovh / infrastructure-roadmap

Agile roadmap for OVHcloud for Baremetal, Network and Storage IaaS services. Discover the features our product teams are working on, comment and influence our backlog.
https://github.com/orgs/ovh/projects/16
37 stars 1 forks source link

Ovh ddos protection cuts cloudflare traffic. #177

Open Gawnz1 opened 8 months ago

Gawnz1 commented 8 months ago

Hello, not sure if this is the right title or place, but since it's DDoS related.

Explanation: I am a cloudflare and ovh user. While under attack or under high traffic coming from Cloudflare ips, OVH ddos protection is kicking in and rejecting the traffic and then the proxied site is offline. I know this is a default and logical behavior of the ddos system at ovh, but is there a way to tweak something or you to setup a higher limits for CF specially?

frhtslyn commented 3 months ago

Hi, While browsing the internet, I saw your post. For example, after blocking IPv4/6, a feature like a button could be added to allow only Cloudflare IP blocks to be included in the OVH firewall's allow list. This would result in much cleaner traffic. At least the remaining traffic could be filtered through Cloudflare.

Thanks.

Gawnz1 commented 3 months ago

I think that the problem is when OVH sets higher limits for Cloudflare ip ranges ipv4/ipv6 or whitelists them. Then the DDoSers start to hit with ips from Cloudflare ipv4/ipv6 range. This may be the biggest problem. A validation or something other is needed in that case, I am not sure.

@jslocinski, very sorry for the mention/tag. Should we use the Ipv6 instead of Ipv4 to not trigger the anti-ddos and to result in rate-limited cloudflare ips (proxied site offline). Is there anything at all that can be done? If we whitelist for example (ipv4) in the network edge firewall, will they be blocked like the case above, once a rate-limit or anti-ddos mitigation is activate?

For me, it seems that only Ipv6 is a possible solution for now.

jslocinski commented 3 months ago

For now, we there is no way to verify over a time the ownership of such external's IPs which would allow to treat them differently. We have tweaking in mind, but not available atm.

PS. workaround that some customers are using is to spread the traffic across more IPs in OVHcloud.

axl303 commented 1 month ago

@jslocinski,

For now, we there is no way to verify over a time the ownership of such external's IPs which would allow to treat them differently. We have tweaking in mind, but not available atm.

Is this "tweaking" or some other changes (which can help us to use the OVH services along with Cloudflare, without being cut by the Anti-DDOS/VAC/etc..) expected by the end of 2025?