Last month we have noticed a very very strong increase of the attacks number in our network.
We came now to about 30 attacks per day with 3 to 5 attacks which they have many consequences on the quality of services for our clients.
It is therefore, necessary for OVH to fix these last attacks problems.
We have placed protections against the attacks on the UDP layer.
The incoming traffic is limited to 50Mbps per IP source on UDP.
Date: 2011-08-07 21:23:49 UTC We are generalising the limitation to 20Mbps per IP to UDP on the routers managing OVH incoming traffic.
Date: 2011-06-03 01:40:49 UTC We have decreased the incoming traffic in UDP by IP from to 20Mbps.
We'll see whether it will prevent remaining attacks.
Date: 2011-05-19 22:22:33 UTC
The settings are very effective. 1.2Gbps from 120 IP are purged by 10Mbps :)
We sucked the attack on a router apart to analyse it. UDP packet of 1 byte.
00:05:41.025106 ip 18.104.22.168.60802 > 22.214.171.124.52829: udp, length 1
00:05:41.025113 ip 126.96.36.199.60802 > 188.8.131.52.52092: udp, length 1
00:05:41.025117 ip 184.108.40.206.60802 > 220.127.116.11.57685: udp, length 1
00:05:41.025125 ip 18.104.22.168.60802 > 22.214.171.124.19995: udp, length 1
00:05:41.025132 ip 126.96.36.199.60802 > 188.8.131.52.62144: udp, length 1
00:05:41.029163 ip 184.108.40.206.60802 > 220.127.116.11.26174: udp, length 1
00:05:41.033086 ip 18.104.22.168.60802 > 22.214.171.124.51982: udp, length 1
00:05:41.033101 ip 126.96.36.199.60802 > 188.8.131.52.19547: udp, length 1
00:05:41.040862 ip 184.108.40.206.60802 > 220.127.116.11.43119: udp, length 1
00:05:41.040883 ip 18.104.22.168.60802 > 22.214.171.124.60090: udp, length 1
We played well and refined the rules. We will therefore block who performed the attack by blocking the destination IP.
Date: 2011-05-19 15:12:45 UTC Following to an ongoing attack on an IP, we
have tuned settings and we have decreased the authorized
burst during an attack from 10000 to 8000.
The attack increased from 70Mbps to 10Mbps. It continues
but no longer has any impact on the server.
#sh inter f0/15 | i 30 sec
30 second input rate 2822000 bits/sec, 303 packets/sec
30 second output rate 62419000 bits/sec, 121785 packets/sec
#sh inter f0/15 | i 30 sec
30 second input rate 5422000 bits/sec, 585 packets/sec
30 second output rate 10334000 bits/sec, 20076 packets/sec
Do not hesitate to forward problems if it exists.
Date: 2011-05-13 08:10:07 UTC Hello,
Following to the protections update against attacks
on the UDP layer, from 24h we have not had to intervene
to protect the infrastructure. We received tens of
usual attack that did not have an impact on our
We can than estimate that the settings into place are correct
and sufficient. Fast, well done:)
Yes! Let's hope it lasts:)
- we set up protection on the input of
our network: we limit the UDP traffic to 50Mbps by
IP source. ie that a specific IP on the Internet
can not send to ovh network more than 50Mbps by
- we have put in place protection on routers
of datacenters: we limit the UDP traffic to 50Mbps by
IP destination. ie a specific IP at OVH
can not receive more than 50Mbps from the Internet by
The recall of protections is already into place (since 1-2 years):
- we have a restriction to 32Kbps by IP source to
OVH on ICMP layer and TCP/SYN (with some exceptions).
VPS and mC have the following protections:
- 100Mbps by IP on TCP
- 5Mbps by IP on UDP
- 32Kbps by IP on ICMP
There are no other limitations and are not foreseen.
We had a nice welcome for the update of
these protections. 1 client was not happy and we
've got lots of feedback with an \"Ouff. I think
these protections creates a nice added value of our
offers because they strengthen the services security that
our customers propose. Whether it's a game server,
a website or a DSL connection, receive a DoS from
a competitor is very unpleasant. With OVH you
are now protected against your moods of your competitors.
Date: 2011-05-13 07:48:31 UTC we will activate protections on the routers
of RBX2, and RBX3 RBX4
Date: 2011-05-12 14:02:44 UTC It will activate the protections on the routers in
HG 2010/2011: already done
Date: 2011-05-12 13:58:51 UTC Hello,
At the entrance to the backbone, we have just change
settings. We removed the filter on the whole
IP layer to keep no more than the UDP.
Thus, an IP on the Internet is limited to 50Mbps in UDP
to the entire OVH network.
If you have problems, it's necessary to forward them.
This is not because we must manage an emergency that
can not refine after. It's always the same
email in case of the man's death's risk: email@example.com
Early afternoon, we'll continue to refine
settings to reach the 3 new rules at the end:
- limitation in UDP on IP source to OVH,
currently it is limited to 50Mbps and we will try
to descend to 20Mbps around 14:00
- limitation in UDP on IP destination to OVH
is currently implemented on the network HG
to 50Mbps. we do not yet know if it's useful and
whether it's necessary to refine, to put that on all routers.
- limitation on UDP on IP source with OVH to the Internet
not yet established. the aim is to prevent that an
OVH server sends an attack towards the Internet.
Date: 2011-05-12 13:35:56 UTC Entering the backbone, we removed
protection over the IP layer to
keep more than UDP.
Date: 2011-05-11 23:36:54 UTC Regarding the attacks quantity we are dealing with everyday, we decided to dig up the hatchet :( it isn't possible.
Nothing today, we are in up to 30 attacks and there's 5 of our customers' networks that are impacted with the temporarily deterioration of the service.
An IP source (Internet) could not send towards the OVH network, no more than 50Mbps on all the IP layer. We are looking forward to apply it on the UDP layer.
We have also added a limitation on the HG network on the destination IP in UDP for all IP out of OVH to 50Mbps.