We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

Protection from Spoofing attack


oles@ovh.net
27-02-11, 09:56
We have improved protection from attacks on our network, in particular the spoofing attacks made with our IPs which come from the Internet. This type of attack is now blocked.

This will fix the problem of anti-hack that about 300 customers have received since Friday night. All these servers are now in normal operating condition.

Apologies for the problem.

Regards,

Octave


More:
http://travaux.ovh.net/?do=details&id=5183

-----------------------------------------------------------------
An IT client (a hacker) has ordered 15 servers. They used some servers to launch attacks and scans. They were placed in "anti hack" several times(rescue) to protect our network and the other networks on Intenet.

Until then there is nothing new. This is usual.

One server 94.23.4.70 has been used to attack other Hackers on the net. We received attacks on 94.23.4.70 We have customarily out in place protections used by the Teams 24/24 to block these attacks.

Still no new updates.

As the blocks were very efficient and hackers who 94.23.4.70 attacked not satisfied with the result of their attacks, they launched a spoofing attack from the Internet with OVH IP's. It's a (nice) way to get through the safety features and limitations of automatic traffic in case of attack. Because if its initiated by an IP packet on the Internet (wherever) "spoofing source 94.23.4.70 port 80, it will arrive on a OVH dedicated server's IP. This server (which requested nothing) responded to 94.23.4.70 on port 80 "I did not request anything, cancel the connection." In launching this massive spoof, it caused hackers to launch an attack from the network to an OVH IP 94.23.4.70:80 was the victim. This 500Mbps attack was launched on Friday 25 around 20:00pm.

OVH analyses all traffic and detects internal network attacks at which point we intervened to block attacks. We have detected that
less than 300 servers at OVH launched an attack to 94.23.4.70 and we have went into rescue mode to protect the network.

This is one of those exceptional cases of a false positive and so, tonight we gave return all these servers to their normal state.

To avoid this flaw, we have aditional protection on incoming traffic to our network from the Internet. We can no longer send packets from source IP's This has been blocked and the problem is now fixed.

Apologies for the problems this created.

In parallel, some information on all dedicated servers on our network which are connected to our switches will have the same type of protection ie they can not initiate traffic from the IP which are allocated on the server (the switch port). On each port of each switch there will be an access-list with the IP which can send traffic. We can not use them to spoof and let this kind of attack occur again on the OVH network or the Internet.