OVH Community, your new community space.

Network Problems in OVH


Trapper
20-06-2013, 23:19
Sorry for the late update, been:
Busy
Holiday
Busy...

@Thelen: You say "config issue" again, but fail to note if you think this is Server or Router.

As an update, a day or so after this post, the server was taken off "protection", and everything started working just fine again.

With this in mind, I do not think it could be a Server-Config issue:
Filter on - service interrupted
Filter off - everything works fine...

Thanks OVH - I really needed 4 days of email issues!

~Trap

Thelen
06-06-2013, 09:35
Yea keep in mind ICMP is often blocked/messed with, so it might not be happening with your other packets, but it might be a config issue indeed.

Trapper
05-06-2013, 11:02
How can this be a config issue when the TraceRoute shows the traffic is not even getting to the server..?

~ Or are you saying it is a router-config issue?

~Trap

Thelen
05-06-2013, 10:52
Seems more like configuration issue, my server doesn't have that problem and its behind the same thing.

Trapper
04-06-2013, 16:19
Hi All,

I am writing this in part to answer a support ticket, and also to bring some disparate information together in one place.

I understand that OVH have introduced a system to help mitigate problems caused by open DNS servers inside the network/data-centre being used in dDoS (Specifically DNS-AMP) attacks.

This is covered in a post here in the forum from NatdaS (although signed Octave)...
http://forum.ovh.co.uk/showthread.php?t=6634

The system (known variously as "Protection", "Firewall", "Vaccuum" or "Arbor") is designed to stop remote IP's abusing servers within the network. (Un-confirmed, OVH please clarify).

Whilst two of my Servers were behind this "Protection" they could not act properly as Mail Servers. DNS was working fine (certainly better than 99%). HTTP(S) was working fine (100%). But POP and SMTP were seriously affected.

POP and SMTP services were limited to somewhere around 25% of their normal availability.

I suspect this was due to mis-configuration in the "Protection". I cannot prove this of course, as OVH waited 3 1/2 days to respond to the ticket, by which time the server had been taken out of Protection.

If the "Protection" system is purely about DNS, and specifically about DNS-AMP as stated in the forum post above, the SMTP and POP traffic should not be affected. It was however very badly.

Even a TraceRoute to the machine failed (See Site24x7 report below).

I suspect this is related to the problems seen in these two posts:
http://forum.ovh.co.uk/showthread.php?t=6621
http://forum.ovh.co.uk/showthread.php?p=45993#post45993

There has also been some issues with the French/English parts of the DNS-AMP testing / resolution. The Test and Resolution pages are now available in English:
Test Page:
https://www.ovh.co.uk/cgi-bin/tools/dns_security.cgi

Instructions Page:
http://www.ovh.co.uk/g1082.secure-your-DNS

If you are using Windows, I recommend Andy's Post to help with the fix, as the Instructions Page is so poor:
http://forum.ovh.co.uk/showthread.php?t=6621

I have been asked by support to "Bring more information" so to that end, I stated this Thread to contain evidence of issues. Herewith the Trace Route Failure from www.site24x7.com which they preformed every 15 minutes while trying to connect to one of my Mail Servers:

TraceRoute Failure:

Hop Node Resp. Time(ms) AS Number AS Name
1 Gateway IP - - -
2 transit1.as29527.net (95.128.48.41) 0.788 - -
3 peering2.as29527.net (95.128.48.44) 0.776 AS29527 ASTUTIUM-AS Astutium Limited
4 * - - -
5 rbx-g2-a9.fr.eu (91.121.128.195) 9.671 - -
6 vac1-0-a9.fr.eu.vaccum (178.33.100.151) 3590.837 - -
7 vac1-1-n7.fr.eu.firewall (178.33.100.152) 63.599 AS16276 OVH OVH Systems
8 * - - -
9 vac1-1-n7.fr.eu.firewall (178.33.100.152) 62.560 AS16276 OVH OVH Systems
10 * - - -
11 vac1-1-n7.fr.eu.firewall (178.33.100.152) 3061.032 AS16276 OVH OVH Systems
12 * - - -
13 * - - -
14 * - - -
15 vac1-1-n7.fr.eu.firewall (178.33.100.152) 327.291 AS16276 OVH OVH Systems
16 * - - -
17 * - - -
18 * - - -
19 vac1-1-n7.fr.eu.firewall (178.33.100.152) 3431.161 AS16276 OVH OVH Systems
20 * - - -
21 vac1-1-n7.fr.eu.firewall (178.33.100.152) 3484.028 AS16276 OVH OVH Systems
22 * - - -
23 * - - -
24 * - - -
25 vac1-1-n7.fr.eu.firewall (178.33.100.152) 66.893 AS16276 OVH OVH Systems
26 * - - -
27 vac1-1-n7.fr.eu.firewall (178.33.100.152) 3072.873 AS16276 OVH OVH Systems
28 * - - -
29 * - - -
30 * - - -

This did not happen every time, just sometimes.

Can anyone from OVH shed some light?

Non-OVH, please only post below if you have evidence to add to the "Protection" system failing...

~Trap