Re: The attacks

http://status.ovh.net/?do=details&id=1449


Following an ongoing attack on an IP, we
fine tuning the rules and we decreased the burst
authorized during an attack from 10000 to 8000.
The attack's passed from 70Mbps to 10Mbps. It goes on
but no longer has any impact on the server.

#sh inter f0/15 | i 30 sec
30 second input rate 2822000 bits/sec, 303 packets/sec
30 second output rate 62419000 bits/sec, 121785 packets/sec
[...]
#sh inter f0/15 | i 30 sec
30 second input rate 5422000 bits/sec, 585 packets/sec
30 second output rate 10334000 bits/sec, 20076 packets/sec

Let us know if a tracing problems exists.

Hello,

Protections against attacks gives very good results. We had to intervene once in several days, while we usually must manage multiple attacks per day.

Example of an attack that started yesterday and 22 hours continues. 4Gbps UDP to an IP at OVH. http://demo.ovh.net/fr/ba3c2a2c8e7d3...6dcf88ab240d//

The protections filter this attack and the only evidence that there is an ongoing attack this graph. Which is not bad.

We have had other attacks on shared hosting this time. The infrastructure has not held and there were 2 crashes in two days. We removed temporarily AX production (the traffic passing by the stage done with the lowest ACE). Then we improved these settings to avoid crashes.

In short, the attacks is the daily life of a host and it is part of the trade. It is not a war we win. It's just repel the attack without the customers impacted. That's the challenge ...

Thank you for the feedback if you see fewer attacks, fewer problems, fewer things "weird" that can no longer, or if it's the same and nothing has changed, or is it the worst and total outrage and we want the skin ovh? Thank you in advance for the feedback!

Regards
Octave

Hello,

Following the introduction of the protections against attacks
on the UDP layer, after 24h we haven't had to intervene
to protect the infrastructure. We received a 10th of the
usual attacks that did not have any affect on our
customers.

We can estimate that the settings are correct
and sufficient. Done fast, done well.

Yes! Let's hope it lasts.

The summary:

-we've set up protection on the entrance of
our network: we limit UDP traffic to 50Mbps by
IP source. i.e. a specific IP on the Internet
can not send to the OVH network more than 50Mbps
UDP.

-we have put in place protection on the data center
routers: we limit UDP traffic to 50Mbps to
IP destination. i.e. a specific IP at OVH
can not get more than 50Mbps UDP traffic from the Internet.

The summary of protections already in place (for the past 1-2 years):
- we have a restriction by IP source to 32Kbps
towards OVH on ICMP layer and TCP/SYN (with some exceptions).

The VPS and mC have the following protections:
- 100Mbps per IP over TCP
- 5Mbps per IP over UDP
- 32Kbps per IP over ICMP

There are no other limitations and we don't foresee
any more new ones.

We had a good welcome for putting in place these
protections. 1 client was not happy and we've received
plenty of feedback with a "uufff". I think these
protections create a good added value to our offers
because they strengthen the security services that
we offer to our customers. Whether it's a game server,
a website or a DSL connection, to receive a competitor's
DoS attack is very unpleasant. At OVH, you're
now protected against the mood of your competitors.

Regards
Octave

http://status.ovh.net/?do=details&id=1449

we're going to activate the protections on the
routers in the datacentre:

vrack: done
HG 2010/2011: already done
pCC: done

Hello,

At the gateway to the backbone, we have just changed the
configuration. We remove the filter on the whole
IP layer and we only keep the UDP.

Thus, any IP on the Internet is limited to 50Mbps UDP
towards the entire OVH network.

If you have problems, do let us know.
It's not because we have to manage an emergency that
can not refine it right away. It's always the same
email as usual if it's a matter of life or death oles@ovh.net

Early afternoon, we'll continue to refine
them to reach the final 3 new rules:

-limitation on UDP on source IP to OVH
currently limited to 50Mbps and we will try
to go down to 20Mbps around 14:00

-limitation on UDP on destination IP to OVH
currently implemented on the HG network
to 50Mbps. We do not yet know whether it's useful and
whether to configure it on all routers

-limitation on UDP on OVH source IP to the Internet
is not yet in place. The goal is to prevent an
OVH server sending an attack towards the Internet.

Regards
Octave

Good evening,

Considering the amount of attacks that we
are receiving every day, we decided to
unearth the battle axe We cannot allow it anymore.
Today alone, there are more than 30 attacks
and they've impacted 5 networks for our clients with
temporary degradation of the service.

Then:

A source IP (the Internet) cannot send
towards OVH network more than 50Mbps over the entire
IP layer. Ultimately we think to apply it only to the
UDP layer.

We've also added a limitation on the
HG network on the destination IP on UDP
from all the IPs to 50Mbps.

If you have problems please send an email
to oles@ovh.net noc@ovh.net

More:
http://status.ovh.net/?do=details&id=1449

Regards
Octave