OVH Community, your new community space.

Oles Stop These Attacks


freshwire
16-04-2009, 12:48
I am always logging into my uni network with root access

Andy
16-04-2009, 10:06
Perhaps a mistyped IP address? Don't run SSH on a standard port and you won't have this problem.

c-user
16-04-2009, 07:49
Hi xrcode,

Slightly off-topic, but I saw you said you were responsible for your block of IP addresses. I was wondering if you knew about attempted ssh access to one of our servers from xrnetworksolutions.net ?

from auth log:

Apr 15 13:57:34 webserver sshd[31127]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xrnetworksolutions.net user=root
Apr 15 13:57:37 webserver sshd[31132]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xrnetworksolutions.net user=root
Apr 15 13:57:40 webserver sshd[31138]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xrnetworksolutions.net user=root
Apr 15 13:57:43 webserver sshd[31144]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xrnetworksolutions.net user=root
...
etc

rickyday
15-04-2009, 20:31
Quote Originally Posted by oles@ovh.net;14744
PS. stop losing 100'000$, buy Cisco ASA 5510, 2800$
[url
PS. stop losing 100'000$, buy Cisco ASA 5510, 2800$
[url">http://www.cisco.com/en/US/products/ps6120/index.html[/url]
I could get them a discount as well if they buy a couple

oles@ovh.net
15-04-2009, 19:36
> 28: 01:15:19.912382 91.121.105.56.46776 > 200.46.241.119.25417: udp 1
> 29: 01:15:19.912443 91.121.105.56.46776 > 200.46.241.119.31879: udp
> 1


fixed

next time: abuse@ovh.net

if not, I will remove you from this forum.

Octave

PS. stop losing 100'000$, buy Cisco ASA 5510, 2800$
http://www.cisco.com/en/US/products/ps6120/index.html


JMC
14-04-2009, 23:26
iptables -A INPUT -s 91.121.105.56 -j DROP

By the looks of it, that server is running webhosting with PHP sockets enabled, which if hacked (RFI), could be used to DoS.

OVHSUCKS
14-04-2009, 22:15
Quote Originally Posted by Neil
Did you include logs of the attack? We will not act investigate DDOS cases, unless logs are included.

We do take Hacking, DDOS and other security issues seriously and we do monitor servers to try and stop these attacks, but if you include full logs of an attack and send it to abuse@ovh.net, we will investigate it.
Yes we included logs in our original email to abuse@ovh.net. Here is a bit of the log file. The attack continued for 3 days as we waited for OVH to get ahold of the owner of the dedicated server.

28: 01:15:19.912382 91.121.105.56.46776 > 200.46.241.119.25417: udp 1
29: 01:15:19.912443 91.121.105.56.46776 > 200.46.241.119.31879: udp 1
30: 01:15:19.912489 91.121.105.56.46776 > 200.46.241.119.18095: udp 1
31: 01:15:19.912519 91.121.105.56.46776 > 200.46.241.119.15992: udp 1
32: 01:15:19.912565 91.121.105.56.46776 > 200.46.241.119.53065: udp 1
33: 01:15:19.912596 91.121.105.56.46776 > 200.46.241.119.22704: udp 1
34: 01:15:19.912642 91.121.105.56.46776 > 200.46.241.119.35599: udp 1
35: 01:15:19.912672 91.121.105.56.46776 > 200.46.241.119.17050: udp 1
36: 01:15:19.912718 91.121.105.56.46776 > 200.46.241.119.32040: udp 1
37: 01:15:19.912748 91.121.105.56.46776 > 200.46.241.119.49580: udp 1
38: 01:15:19.912794 91.121.105.56.46776 > 200.46.241.119.14464: udp 1
39: 01:15:19.912825 91.121.105.56.46776 > 200.46.241.119.53592: udp 1
40: 01:15:19.912870 91.121.105.56.46776 > 200.46.241.119.54033: udp 1
41: 01:15:19.912901 91.121.105.56.46776 > 200.46.241.119.46381: udp 1
42: 01:15:19.912931 91.121.105.56.46776 > 200.46.241.119.36654: udp 1
43: 01:15:19.912977 91.121.105.56.46776 > 200.46.241.119.63755: udp 1
44: 01:15:19.913008 91.121.105.56.46776 > 200.46.241.119.43727: udp 1
45: 01:15:19.913053 91.121.105.56.46776 > 200.46.241.119.28351: udp 1
46: 01:15:19.913084 91.121.105.56.46776 > 200.46.241.119.15397: udp 1
47: 01:15:19.913115 91.121.105.56.46776 > 200.46.241.119.53425: udp 1
48: 01:15:19.913145 91.121.105.56.46776 > 200.46.241.119.17096: udp 1
49: 01:15:19.913191 91.121.105.56.46776 > 200.46.241.119.11274: udp 1
50: 01:15:19.913221 91.121.105.56.46776 > 200.46.241.119.13229: udp 1
51: 01:15:19.913252 91.121.105.56.46776 > 200.46.241.119.17332: udp 1
52: 01:15:19.913298 91.121.105.56.46776 > 200.46.241.119.18913: udp 1
53: 01:15:19.913801 91.121.105.56.46776 > 200.46.241.119.18736: udp 1
54: 01:15:19.913862 91.121.105.56.46776 > 200.46.241.119.22634: udp 1
55: 01:15:19.913893 91.121.105.56.46776 > 200.46.241.119.29855: udp 1
56: 01:15:19.913938 91.121.105.56.46776 > 200.46.241.119.15572: udp 1
57: 01:15:19.913969 91.121.105.56.46776 > 200.46.241.119.50168: udp 1
58: 01:15:19.914015 91.121.105.56.46776 > 200.46.241.119.5298: udp 1
59: 01:15:19.914045 91.121.105.56.46776 > 200.46.241.119.5142: udp 1
60: 01:15:19.914076 91.121.105.56.46776 > 200.46.241.119.2806: udp 1
61: 01:15:19.914122 91.121.105.56.46776 > 200.46.241.119.34576: udp 1
62: 01:15:19.914152 91.121.105.56.46776 > 200.46.241.119.5971: udp 1
63: 01:15:19.914183 91.121.105.56.46776 > 200.46.241.119.34647: udp 1
64: 01:15:19.914228 91.121.105.56.46776 > 200.46.241.119.47874: udp 1
65: 01:15:19.914259 91.121.105.56.46776 > 200.46.241.119.6113: udp 1
66: 01:15:19.914289 91.121.105.56.46776 > 200.46.241.119.1420: udp 1
67: 01:15:19.914335 91.121.105.56.46776 > 200.46.241.119.58493: udp 1
68: 01:15:19.914366 91.121.105.56.46776 > 200.46.241.119.24780: udp 1
69: 01:15:19.914396 91.121.105.56.46776 > 200.46.241.119.55240: udp 1
70: 01:15:19.914427 91.121.105.56.46776 > 200.46.241.119.5571: udp 1
71: 01:15:19.914472 91.121.105.56.46776 > 200.46.241.119.1154: udp 1
72: 01:15:19.914503 91.121.105.56.46776 > 200.46.241.119.32530: udp 1
73: 01:15:19.914534 91.121.105.56.46776 > 200.46.241.119.32074: udp 1
74: 01:15:19.914579 91.121.105.56.46776 > 200.46.241.119.59936: udp 1
75: 01:15:19.914610 91.121.105.56.46776 > 200.46.241.119.17402: udp 1
76: 01:15:19.914640 91.121.105.56.46776 > 200.46.241.119.545: udp 1
77: 01:15:19.914686 91.121.105.56.46776 > 200.46.241.119.29276: udp 1
78: 01:15:19.914823 91.121.105.56.46776 > 200.46.241.119.58788: udp 1
79: 01:15:19.914884 91.121.105.56.46776 > 200.46.241.119.63006: udp 1
80: 01:15:19.914930 91.121.105.56.46776 > 200.46.241.119.8979: udp 1
81: 01:15:19.914976 91.121.105.56.46776 > 200.46.241.119.15678: udp 1
82: 01:15:19.915022 91.121.105.56.46776 > 200.46.241.119.5035: udp 1
83: 01:15:19.915052 91.121.105.56.46776 > 200.46.241.119.1129: udp 1
84: 01:15:19.915098 91.121.105.56.46776 > 200.46.241.119.46477: udp 1
85: 01:15:19.915144 91.121.105.56.46776 > 200.46.241.119.43778: udp 1
86: 01:15:19.915174 91.121.105.56.46776 > 200.46.241.119.62021: udp 1
87: 01:15:19.915220 91.121.105.56.46776 > 200.46.241.119.45637: udp 1
88: 01:15:19.915266 91.121.105.56.46776 > 200.46.241.119.2036: udp 1
89: 01:15:19.915296 91.121.105.56.46776 > 200.46.241.119.57611: udp 1
90: 01:15:19.915342 91.121.105.56.46776 > 200.46.241.119.16778: udp 1
91: 01:15:19.915388 91.121.105.56.46776 > 200.46.241.119.48889: udp 1
92: 01:15:19.915418 91.121.105.56.46776 > 200.46.241.119.6570: udp 1
93: 01:15:19.915464 91.121.105.56.46776 > 200.46.241.119.24109: udp 1
94: 01:15:19.915510 91.121.105.56.46776 > 200.46.241.119.45900: udp 1
95: 01:15:19.915541 91.121.105.56.46776 > 200.46.241.119.3610: udp 1
96: 01:15:19.915586 91.121.105.56.46776 > 200.46.241.119.47816: udp 1
97: 01:15:19.915617 91.121.105.56.46776 > 200.46.241.119.53499: udp 1
98: 01:15:19.915663 91.121.105.56.46776 > 200.46.241.119.46955: udp 1
99: 01:15:19.915693 91.121.105.56.46776 > 200.46.241.119.19619: udp 1

Neil
14-04-2009, 21:02
Quote Originally Posted by OVHSUCKS
I don't speak french and this problem pertains to OVH the company. I searched google and found this post about the same problem.

OVH does almost nothing to control DoS Attacks. I could sign up for OVH hosting and do the same thing with a few lines of code. This recent DoS attack from an OVH server cost us over $100,000 USD in lost revenue.

As the Original Poster said, something needs to be done from OVH's side.

Also, emailing abuse@ovh.net is pretty much useless. They do not do anything and respond days later.
Did you include logs of the attack? We will not act investigate DDOS cases, unless logs are included.

We do take Hacking, DDOS and other security issues seriously and we do monitor servers to try and stop these attacks, but if you include full logs of an attack and send it to abuse@ovh.net, we will investigate it.

Seedbox Paradis
14-04-2009, 16:37
Quote Originally Posted by OVHSUCKS
I don't speak french and this problem pertains to OVH the company. I searched google and found this post about the same problem.

OVH does almost nothing to control DoS Attacks. I could sign up for OVH hosting and do the same thing with a few lines of code. This recent DoS attack from an OVH server cost us over $100,000 USD in lost revenue.

As the Original Poster said, something needs to be done from OVH's side.

Also, emailing abuse@ovh.net is pretty much useless. They do not do anything and respond days later.
Well don't blame me for saying this, but I think that estimate of yours as to how much money you lost is a bit too high :<

OVHSUCKS
14-04-2009, 13:35
I don't speak french and this problem pertains to OVH the company. I searched google and found this post about the same problem.

OVH does almost nothing to control DoS Attacks. I could sign up for OVH hosting and do the same thing with a few lines of code. This recent DoS attack from an OVH server cost us over $100,000 USD in lost revenue.

As the Original Poster said, something needs to be done from OVH's side.

Also, emailing abuse@ovh.net is pretty much useless. They do not do anything and respond days later.

rickyday
14-04-2009, 13:22
Quote Originally Posted by OVHSUCKS
We are from Panama.
So why are you posting on a UK Forum then?

OVHSUCKS
14-04-2009, 13:14
I sent my emails to abuse@ovh.net

The response emails come from OVH Poland.

We are from Panama.

fozl
14-04-2009, 13:06
Quote Originally Posted by OVHSUCKS
We have the same problem with OVH. They are totally unhelpful and harbour criminal activity. I sent them logs of what was happeneing and they would not take the server down. They had to ask for his permission. They never took him down and took days to respond in-between emails... etc
You'll need to take this up on http://forum.ovh.pl/ or even better send an email to pomoc@ovh.pl (their support address).

As this is ovh.co.uk, I'm sure you'll understand that we can't discuss issues pertaining to Polish law.

OVHSUCKS
14-04-2009, 13:01
We have the same problem with OVH. They are totally unhelpful and harbour criminal activity. I sent them logs of what was happeneing and they would not take the server down. They had to ask for his permission. They never took him down and took days to respond in-between emails.

Here is what the "Abuse" department told me:

> >> >> >> Dear OVH Abuse Staff
> >> >> >>
> >> >> >> We are currently experiencing a DDoS attack coming from one of
> >> your
> >> >> IPs
> >> >> >>
> >> >> >> Attached is a log of such attack, its coming from 91.121.105.56
> >> and
> >> >> is
> >> >> >> attacking 200.46.xxx.xxx using UDP traffic
> >> >> >>
> >> >> >> Also attached is a graph of the traffic that we are getting
> >> >> >>
> >> >> >> Please proceed immediately with any measure to stop this attack


> >> >> yes,
> >> >>
> >> >> He is still hitting us. You need to take him offline until he
> >> contacts
> >> >> you and stops the attack.
> >> >>
> >> >> Kevin
> >> >>
> >> >>
> >> >> > Greetings,
> >> >> > Do you still expirience attack? We have contacted the administrator
> >> of
> >> >> > this server and we waiting his answer.
> >> >> >
> >> >> > Best regards,
> >> >> > Daniel W‚odarczyk, OVH.pl.


Greetings,
I'm sorry but it's impossible. We can't give any contact because of Polish law.

Best regards,
Daniel Wodarczyk, OVH.pl.



> Hello,
>
> Can you give me the contact details of the administrator?
>
> Kevin
>
>
>
>
>
> > Greetings,
> > I have received informations from administrator of attacking server. He
> > assure me that he has eliminated the problem.
> >
> >
> > Best regards,
> > Daniel Włodarczyk, OVH.pl.

xrcode
13-02-2009, 01:38
Ok this attack needs to stop oles, you really need source address verification on your outbound syn packets

Your routers should not allow traffic that does not have an ovh ip to pass out
your machines are able to spoof syn floods, and there is nothing stoping them saying no, you cant send a syn from a fake address, or even limiting the rate of outbound syn per second to something like 1000 syn/sec, ill be damned if something needs to make 1000 new connections a second legitimately.

xrcode
13-02-2009, 01:33
Quote Originally Posted by Palad1n
I don't think you work for LeaseWeb, so you do not have the right to request OVH block all servers from getting to an IP Block that hosts 250 other servers.

Get a decent firewall and block ICMP ANY and IP ANY from 91.121.0.0/16 or whatever other ranges are attacking you.
Put in a permit your.server.ip before the block ANY rules.

I installed MOBLOCK to my server and use Bluetack.co.uk blocklists and I also have a customlist that I can edit by hand to add abusers to.

But your request is silly and published in a user support forum, even if you had permission to speak for the class C IP block, it is upto YOU to block incoming not OVH to block outgoing.
I have a hosting solutions business and the two ranges are mine. i do not want ovh servers accessing them, and i am sick of the 300mbps syn floods, this is rediculous

There will be NO other customers blocked

the two ranges that i am using for the particular services being attacked are

94.75.232.64/26 and 94.75.250.128/26

I have a rack of servers not just one, and i am very tired of incoming ovh attacks, they put out too much bandwidth and packets per second to effectively deal with.

xrcode
13-02-2009, 01:26
Quote Originally Posted by Myatu
Aside from setting up your own firewall, get Snort (http://www.snort.org). You'd be amazed how much unsolicited traffic you're getting when you look at Snort's logs.

far far too much traffic on this server for snort, or or anything like that. this server has a 600mbps 95th percentile bandwidth output and average 6000 simultaneous clients, i can somewhat fend off the incoming ddos attacks with netfilter but this is getting rediculous, i dont need any server securing guides or anything like that, i have carefully constructed packetfilters to filter the attacks and my servers do sustain, but why should i be subjected to attacks coming from ovh constantly?

xrcode
13-02-2009, 01:23
I have a dedicated box just for filtering, i know what im doing here guys, i am seeing up to 300mbps of syn and udp floods from ovh CONSTANTLY, and to whoever said that about working at leaseweb, no i dont work there, but that whole ip range is for my rack so most certainly have permission to ask for it to be filtered due to constant ddos attacks




[root@xrnetworksolutions ~]# iptables -t raw -L -v|less
Chain PREROUTING (policy ACCEPT 1750M packets, 614G bytes)
pkts bytes target prot opt in out source destination

201M 5839M DROP udp -- any any anywhere anywhere
udp dpt:6011
26M 1041M DROP tcp -- any any anywhere anywhere
TTL match TTL == 251




), length: 29) 91.121.193.74.58730 > 94.75.232.68.6011: UDP, length 1
00:21:47.180162 IP (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto: UDP (17), length: 29) 91.121.197.197.34201 > 94.75.232.68.6011: UDP, length 1
00:21:47.180171 IP (tos 0x0, ttl 61, id 0, offset 0, flags [DF], proto: UDP (17), length: 29) 94.75.209.24.33653 > 94.75.232.68.6011: UDP, length 1
00:21:47.180186 IP (tos 0x0, ttl 247, id 57803, offset 0, flags [none], proto: TCP (6), length: 40) 207.113.203.214.60393 > 94.75.232.68.6011: tcp 20 [bad hdr length 0 - too short, < 20]
00:21:47.180193 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto: UDP (17), length: 29) 91.121.193.74.58730 > 94.75.232.68.6011: UDP, length 1
00:21:47.180203 IP (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto: UDP (17), length: 29) 91.121.196.200.40768 > 94.75.232.68.6011: UDP, length 1
00:21:47.180210 IP (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto: UDP (17), length: 29) 91.121.197.197.34201 > 94.75.232.68.6011: UDP, length 1
00:21:47.180218 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto: UDP (17), length: 29) 91.121.193.74.58730 > 94.75.232.68.6011: UDP, length 1 UDP, length 1

1087 packets captured
1028909 packets received by filter
1026599 packets dropped by kernel


oles i have one machine at ovh that needs to be accessing this network, no other ovh machine has any reason to be accessing my netblock other then to attack it so will you please put an end to this abuse coming from your network, it is not minor in the slightest.

Myatu
11-02-2009, 12:00
Aside from setting up your own firewall, get Snort (http://www.snort.org). You'd be amazed how much unsolicited traffic you're getting when you look at Snort's logs.

rickyday
10-02-2009, 19:56
Server Security Guides

http://www.google.co.uk/search?hl=en...security&meta=

Palad1n
10-02-2009, 15:31
Quote Originally Posted by xrcode
oles, i have been dealing with ovh servers attacking my network for quite some time now, i want you to block ovh servers from accessing the network block 94.75.232.0/24 please block all ovh servers from accessing this netblock except for KS366890 please, thanks.
I don't think you work for LeaseWeb, so you do not have the right to request OVH block all servers from getting to an IP Block that hosts 250 other servers.

Get a decent firewall and block ICMP ANY and IP ANY from 91.121.0.0/16 or whatever other ranges are attacking you.
Put in a permit your.server.ip before the block ANY rules.

I installed MOBLOCK to my server and use Bluetack.co.uk blocklists and I also have a customlist that I can edit by hand to add abusers to.

But your request is silly and published in a user support forum, even if you had permission to speak for the class C IP block, it is upto YOU to block incoming not OVH to block outgoing.

fozl
10-02-2009, 09:34
You need to configure your firewall yourself to drop pings for instance from servers you don't know... or if it's something you cannot respond to, have you contactd abuse@ovh.net?

xrcode
10-02-2009, 00:37
oles, i have been dealing with ovh servers attacking my network for quite some time now, i want you to block ovh servers from accessing the network block 94.75.232.0/24 please block all ovh servers from accessing this netblock except for KS366890 please, thanks.