OVH Community, your new community space.

Anti-hack warning

03-06-2013, 10:02
On my ms dns server just ticking the disable recursion box wasn't enough. I could still request Google through my dns server and the OVH page was still red.

What I had to do was remove all forwarders and delete all the root hints from the server properties window. This would stop the server forwarding requests. I am not sure why we have to do all that but it fixes the issue on 2008 r2 and 2012.

To do some more detailed feedback I use with the server set to the op in question with trace set, if I try then if it shows a fill request I know it is still forwarding. It's a bit easier to understand than the French OVH thingy, why can't they translate it?


03-06-2013, 10:01
All I did was disable recursion and it was just fine.

03-06-2013, 09:28
OK, noticed some issues on Thursday last week with one of my servers.

As Andy said, settings (recursive lookups) have been corrected, but still the page:
Lists the some of the servers as "Problème de sécurité".

Seems they are in "Protection" and "VAC" is enabled.

Did anyone make any other changes to a Microsoft DNS machine?

Is responding with Root Hints considered a failure? - If so how do I stop this?

Sorry OVH, I have enough trouble "wiv InGlish". Can we please have these pages in something other than French.


24-05-2013, 00:27
I got a reply and apparently it was a mistake to notify me for the other IP. At least they were honest No harm done.

22-05-2013, 23:16
Yeah, apparently nslookup on windows achieves the same result if you add in the server to use. I'm just hoping it's a delayed reaction by the manager or OVH's techs putting it on a list.

22-05-2013, 23:12
Ah yes, then it wouldn't be Not sure how to do it with Windows, but with *nix a quick check is to perform a 'dig' on the nameserver itself from an outside source, ie:

dig @mynameserver
Obviously replacing 'mynameserver' with the actual value. It shouldn't give an answer.

Coincidentally, I tried your ones (iisunderground and betaarchive), and they just return a 'Nope. Go and try the rootservers instead' answer, so I assume that'd suffice.

22-05-2013, 23:03
I run my own nameservers so that's not an option.

22-05-2013, 23:02
Depending on how your servers are setup, you could close TCP and UDP ports 53 to external sources (only allow to access it). That's one of the first things I generally do with new servers...

22-05-2013, 22:49
I just got another hack notice for my other IP, yet it's disabled server wide. I hope it's just a delayed response by the system...

22-05-2013, 20:47
5 Mbps doesn't get noticed, whereas 1 Gbps does. Do that x1000 drones, and that's enough to knock out a small server or company network.

22-05-2013, 14:35
There is no reason for anyone to be running an open DNS resolver that could be be abused by the bad guys.

This is the first time you've been notified by OVH. The relay could have been abused many times and gone undetected.

A couple? More like hundreds to thousands if they do not take action. 24 hours is more than enough time for any responsible individual to get an issue like this fixed. These servers are unmanaged, they shouldn't have to hold the customers hand.

I agree with you on this point. OVH should be proactive.

22-05-2013, 12:33
Yes, but it's better than the 1Gbps they could have had otherwise. Big difference isn't it?

It's not about being an experienced sysadmin, which I don't claim to be. I know more than enough to get me by. The fact is it's never been a problem before. 5 years I have operated a DNS with open relay capabilities and this is the first time I've had a problem. Also remember that it's sometimes necessary to operate a server in this way, depending on your configuration of other software.

OVH will probably get thousands of Spamhaus entries per day, a couple more isn't going to hurt. However you're missing the point that OVH need to help their customers more rather than just issuing a "fix this in 24 hours or we cut you off" message.

OVH knew open relays were an issue for many weeks. Why didn't they scan their network for open relays and contact customers individually BEFORE it became an issue?

Again, everyone always missing the point that it's not just customers fault but OVH's as well for not being vigilant enough. Unmanaged or not, it's still partly their responsibility as a network provider.

22-05-2013, 12:25
5Mb/s is still a significant amount of traffic. An attacker with lots of 5Mb/s capable servers has a lot of power in his hands.

If business is mission critical, employ an experienced sysadmin.

You should think about the damage it'll do to OVH's reputation (Spamhaus listings, etc) rather than how it affects the individual who failed to harden his server. This situation could have been avoided.

22-05-2013, 11:00
I agree, but 24 hours is a pretty short amount of time. They could just block your DNS port rather than taking the server offline, or limit the throughput of DNS to say 5Mbps. I doubt many people need more than 5Mbps of continuous DNS data per server unless that's all it was designed to do.

OVH just don't seem to understand that people have dedicated servers that are mission critical. Sure people say don't use OVH for mission critical, but they are great when they work. Their downfall is their petty nature when it comes to "hack" issues like this where all they think about is the network and not the customer.

The server should NEVER EVER be taken offline unless it is causing an extremely serious problem, or is breaking the law. DNS amplification is a serious issue but OVH have the ability to reduce its effect with rate limiting etc. 24 hours is a very short amount of time and not everyone may be able to respond in that time. E.G. I might have been on holiday without Internet access for a few days.

22-05-2013, 10:55
It's nice to see OVH being proactive. DNS amplification attacks are a HUGE issue.

21-05-2013, 21:48
Its a good thing. There are too many open DNS servers out there, so if I can prevent it even a little I will.

21-05-2013, 21:46
I got EXACTLY the same message yesterday at around 10pm, it was for a 2008 R2 web server that shouldn't even have a DNS server. I disable the recursion as you have and then removed the DNS server.

I sent a quick message back to OVH asking them to confirm that the problem is resolved.

They are obviously trying to stop a repeat of the spamhaus attack.


21-05-2013, 20:59
Thanks. I actually took the time to read their hack warning after angry shouting at OVH being ridiculous and it contains a link to which tells you how to do it. Doh!

21-05-2013, 20:55

21-05-2013, 19:07
Hi all,

Apparently my server has been used as a DNS amplification source because relaying was enabled. I didn't know this was set by default so my question is, is this all I have to do to disable relay?

OVH said that the server will be suspended if it's not resolved within 24 hours.