We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

URGENT AND IMPORTANT: Anti-DDoS Protection


Trapper
29-08-2013, 20:00
Yes...

https://api.ovh.com/console/#/ip

~Trap

ExW
29-08-2013, 19:33
There is an API?

Express
29-08-2013, 17:41
Is it just me that is given the impression this VAC system sounds like a fancy way to describe IP NullRouting?

I mean, the server I have alongside a friend of mine at OVH has had moderately sized DDoS Attacks, all we have ever had is 'Interventions' and no access to our server. Anything on a smaller scale seems capable of 'bypassing' the VAC System and flooding our server.


The only support we've actually had with this VAC System is please use the API to control it, but its assumptive at best - and is true in my case that we don't know how to make use of said API.


I forgot to mention, we've seen traceroutes of our server showing that we are behind the VAC System.

Thelen
29-08-2013, 12:05
sales rep not engineer.. easy to be wrong.

Mac
28-08-2013, 07:13
Quote Originally Posted by Andy
450Mbps is way too low. Most severe attacks are in at least the 10Gbps range IIRC.
Yeah thats what I was wondering but the rep kept on insisting its 450 Mbps :|
May be the rep wasn't updated.

Thelen
24-08-2013, 08:21
they do, try another traceroute.

ExW
23-08-2013, 17:36
Seems like they dont have a tilera

Code:
15  * bhs-g2-6k.qc.ca (198.27.73.3)  78.257 ms  78.018 ms
16  bhs-g2-6k.qc.ca (198.27.73.3)  77.902 ms vac3-0-a9.qc.ca.vaccum (198.27.73.241)  79.786 ms bhs-g2-6k.qc.ca (198.27.73.3)  77.882 ms
17  vac3-0-a9.qc.ca.vaccum (198.27.73.241)  79.492 ms vac3-1-n7.qc.ca.firewall (198.27.73.242)  152.787 ms  152.938 ms
18  vac3-2-n7.qc.ca (198.27.73.235)  157.279 ms vac3-1-n7.qc.ca.firewall (198.27.73.242)  152.445 ms  152.945 ms
19  vac3-3-n7.qc.ca.arbor (198.27.73.58)  157.401 ms vac3-2-n7.qc.ca (198.27.73.235)  156.649 ms  156.829 ms

Andy
23-08-2013, 09:16
450Mbps is way too low. Most severe attacks are in at least the 10Gbps range IIRC.

Thelen
23-08-2013, 07:54
I'd say more like 450Gbps aye.

450Mbps seems too low :/

ExW
22-08-2013, 23:57
My BHS server gets put up on protection a few times now, it goes through the eu servers (vaccum, tilera, arbor)
The only way I can tell that its active is either traceroute or it takes a few tries to connect to ssh because of network errors, other than that its normal

Andy
22-08-2013, 19:55
450Mbps or 450Gbps? 450Gbps seems reasonable because it's only turned on when it's needed.

Mac
22-08-2013, 14:12
Quote Originally Posted by Thelen
So to clarify, all OVH server locations are going to be protected by this?

What level of protection is there at BHS now compared to RBX/SBG which I know have ... well different protection?
I spoke to OVH Canada support earlier today and asked them about what size DDOS protection they have and he was like 450 Mbps. I reconfirmed with him and he is yeah its 450 Mbps. I told him that it was too small as what Oles declared last month but he insisted that it was 450 Mbps* protection.

Thelen
22-08-2013, 12:20
So to clarify, all OVH server locations are going to be protected by this?

What level of protection is there at BHS now compared to RBX/SBG which I know have ... well different protection?

JakeMS
27-07-2013, 20:58
Well, servers have it listed:
https://www.ovh.com/fr/serveurs_dedies/mitigation.xml

and

https://www.ovh.com/fr/serveurs_dedies/mini-sp.xml

under Réseau

marcround
27-07-2013, 20:53
Quote Originally Posted by oles@ovh.net
We are planning to launch the Beta version this week. On July 16th, we will explain the VAC service on our website and a new contract will be issued to provide the framework of this service. The objective is to be as transparent as possible and to provide you
with the highest guarantees.
Does anyone happen to have a link to the article as I'm having trouble finding it, thx

Thelen
27-07-2013, 09:23
Good question. I noticed my 10Gbit main server has been removed from the special VAC trace I posted a thread about a while back, so 'd say it is all up and running for sure now. Oles twitter/fotoshare site thingy confirm.

Vmlweb
23-07-2013, 20:49
Well the API functions for mitigation seem to be up and running.

Will mitigation automatically turn on if DDOS is detected or do we have to use
POST /ip/{ip}/mitigation
Function to add the IP to mitigation?

HostRange
16-07-2013, 15:26
16th July is here. Website still planned on being updated today?

Thelen
15-07-2013, 09:02
Quote Originally Posted by Trapper
Any comments to this OVH? Do you think of yourselves as some sort of "play option", rather than a "serious business"...???
That isn't what I meant or was implying. OVH is a serious business, its a question of what OTHER companies expect from the services provided. Its the difference between best worst case, and worst best case.

macole111
14-07-2013, 20:02
^ this

-macole111

Myatu
14-07-2013, 16:41

Trapper
14-07-2013, 16:19
Quote Originally Posted by Thelen
OVH isn't the company for serious productions. Why do you think people like softlayer peer1 rackspace exist...
Any comments to this OVH? Do you think of yourselves as some sort of "play option", rather than a "serious business"...???

Quote Originally Posted by Myatu
Funny you should say that. OVH has been toying with the Tilera since at least August 2010 (See http://forum.ovh.co.uk/showthread.php?t=4419) and the tests with Arbor Networks systems and Tilera to filter attacks has been ongoing for a number of months before March 2013 (See http://forum.ovh.co.uk/showthread.php?t=6514). You don't suppose OVH just drops a £500K+ system between its network cables and hopes for the best? It's a little more involved than what you make out of it...
Myatu, I was not making anything of anything. I was a direct quot from Oles. He said "Alpha", and that was posted after my servers had suffered at "VAC's" hands...

~Trap

keyjey
05-07-2013, 01:25
Thanks !

Thelen
03-07-2013, 15:37
Quote Originally Posted by keyjey
Is this applicable in North America also ?
Yes, BHS location is in the list..

keyjey
03-07-2013, 06:15
Is this applicable in North America also ?

Myatu
02-07-2013, 08:21
Quote Originally Posted by Trapper
OVH would not accept Network Hardware with Alpha Status from their suppliers
Funny you should say that. OVH has been toying with the Tilera since at least August 2010 (See http://forum.ovh.co.uk/showthread.php?t=4419) and the tests with Arbor Networks systems and Tilera to filter attacks has been ongoing for a number of months before March 2013 (See http://forum.ovh.co.uk/showthread.php?t=6514). You don't suppose OVH just drops a £500K+ system between its network cables and hopes for the best? It's a little more involved than what you make out of it...

Thelen
02-07-2013, 06:17
Quote Originally Posted by Trapper
Yes - we all want the protection, but it should have been tested first.

dDos is serious, I have suffered this on a server before, an' it ain't nice.

As above, my point still stands, Octave, there is NO place for Alpha Stuff in a production environment. Software development runs on a well developed course: Alpha, Beta, Production. Octave - you can do better than this!

~Trap
OVH isn't the company for serious productions. Why do you think people like softlayer peer1 rackspace exist...

OVH is an awesome company to low buy-in and rapid scalability with tiny costs, but the cost of that is issues like this.. I have no problem getting a company off the ground with OVH, but once revenue is >10k/month, it is time to start looking elsewhere.

raxxeh
01-07-2013, 21:35
This seems to be par for the course with OVH; they have no interest in retaining customers it seems.

Doesn't take much to notify people that they're about to change ****.

Trapper
01-07-2013, 20:16
Quote Originally Posted by Arran
...I don't mind a bit of down time if it can stop weeks of down time in the future...
Yes - we all want the protection, but it should have been tested first.

dDos is serious, I have suffered this on a server before, an' it ain't nice.

As above, my point still stands, Octave, there is NO place for Alpha Stuff in a production environment. Software development runs on a well developed course: Alpha, Beta, Production. Octave - you can do better than this!

~Trap

Trapper
01-07-2013, 20:09
Quote Originally Posted by Myatu
do you not have one ore more backup SMTP server(s) outside of, or at different OVH premises
The Backup Server was also affected, as it was in the same room at RBX... Both servers acquired before you could choose where to have them.

So, now the answer is Yes! The backup Server is now in a different country, with a different provider.

My point still stands, OVH would not accept Network Hardware with Alpha Status from their suppliers, so why should I..?

~Trap

Arran
01-07-2013, 17:21
Quote Originally Posted by Trapper
At the end of May / beginning June one of our email servers started acting up. Sometimes our clients could connect, other times they could not. This was true for POP and SMTP services. For our clients connecting this was not a serious issue as they could re-try a few moments (or minutes) later, and connect fine.

What was NOT good was that remote SMTP servers delivering email to us would fail, and wait 30 minutes or so. Then they would fail again. In the end the (inbound) email would fail, and be returned to the sender.
Not as bad as 500+ players not being able to play for weeks because of a some kid with access to DNS reflection, this is what this update will stop and I don't mind a bit of down time if it can stop weeks of down time in the future.

Maybe this anti DDOS protection is what caused one of my UDP ports to get blocked for days which caused problems for hundreds of players, but yeah if we're going to be getting attack protection on OVH after years of nothing it's going to be great and I'm looking forward to having to pay a bit extra for something that is so worth it.

Myatu
01-07-2013, 15:53
Quote Originally Posted by Trapper
What was NOT good was that remote SMTP servers delivering email to us would fail, and wait 30 minutes or so. Then they would fail again. In the end the (inbound) email would fail, and be returned to the sender.
But that begs the question: do you not have one ore more backup SMTP server(s) outside of, or at different OVH premises? You cannot err the service provider if that's not the case.

Trapper
01-07-2013, 11:31
Octave

I am deeply disappointed to read your article above. While the work you are doing is extremely worthwhile it means that you have ruined my reputation. Let me explain:

I run a business which provides Hosting Services for businesses. Because we want to do this reliably we do everything we can to avoid the (b)leading edge of technology. We stick to the tried and tested, to avoid problems with new kit or software.

We take this so seriously that we rented our first server from OVH for a whole year before putting it into production.

So how can I say that you have ruined my rep..?

At the end of May / beginning June one of our email servers started acting up. Sometimes our clients could connect, other times they could not. This was true for POP and SMTP services. For our clients connecting this was not a serious issue as they could re-try a few moments (or minutes) later, and connect fine.

What was NOT good was that remote SMTP servers delivering email to us would fail, and wait 30 minutes or so. Then they would fail again. In the end the (inbound) email would fail, and be returned to the sender.

So we spend time & money making sure we use reliable hardware / software / supply companies, only to find out that OVH is using ALPHA SOFTWARE / EQUIPMENT in a live environment:

VAC1, (currently in Alpha phase), has been installed in Roubaix. It's now working well enough for us to explain what OVH is going to
to offer, in terms of protection against DDoS attacks.
I am also glad that as of the 26/6/2013 it is NOW working well enough for you to admit to what you are doing.

It is however a great shame it was not working properly at the beginning of June when this cost me 3 customers, and a whole week of stress and sleepless nights.

Do not take this the wrong way; the goal you are trying to achieve will make all our offerings better. But ignoring my requests for help for 72 hours, and never admitting responsibility is unbelievable.

Does Octave ever read this...? Probably not the English version anyway...

~Trap

Thelen
30-06-2013, 16:18
I think OVH will already be doing that for you, but if not, then yes.

Arran
30-06-2013, 14:34
"the firewall network of 480Gbps with the possibility of adding 100 ACL lines by DST IP, which is an OVH innovation."

So that means if you've got professional usage you'll be able to for example drop all incoming on port 53 to avoid a DNS flood? Can't wait for this stuff to get implemented!

Thelen
28-06-2013, 09:40
Quote Originally Posted by 3r1c
Is this planned for BHS also?
You really can't read well can you lol...

The redundancy of a VAC is guaranteed by another VAC. By the end of August, we will be installing 3 VAC mitigation units in
3 locations:
- Strasbourg, France (SBG)
- Roubaix, France (RBX)
- Beauharnois, Canada (BHS)

LawsHosting
28-06-2013, 00:09
All servers, correct? Even us Kimi lovers!

3r1c
27-06-2013, 22:29
Is this planned for BHS also?

macole111
26-06-2013, 16:58
Sounds like a good idea to me, happy to pay the extra (tiny) amount a month so that we have the piece of mind about DDoS attacks.

-macole111

Thelen
26-06-2013, 07:02
Aye I think this is a great option, though will certainly make lots of the DDoS protection companies that have sprung up recently (mostly to protect minecraft lol) obsolete as the people with their MC servers on OVH will be protected again

Myatu
26-06-2013, 02:39
That is a remarkably small increase in price given the extremely costly equipment... I'm not complaining!

Minor note: What's the increase on the public cloud, if any. Same as VPS?

Andy
25-06-2013, 13:18
So from what I understand from the bad Google translation, we will be getting:

1. A small price increase from €0.5 to €1/month so that the default DDoS Protection is free of charge to all?
2. The option to upgrade the protection to PRO for an additional cost?

I'm happy enough with #1 if it proves effective against any DDoS's

oles@ovh.net
25-06-2013, 12:56
Hello,

As a web infrastructure supplier, OVH has always been faced with DDoS cyber attacks, which affect our infrastructure as much as the services of our customers. Since the Wikileaks affair in late 2010, DDoS attacks have been making the headlines, and with DNS AMP becoming widespread since the beginning of this year, any kid can basically launch a DDoS attack of several dozen Gbps and implement a childish activity.

On our side, we have developed the protection tool over time with one simple aim: that the anti-DDoS protection service cannot be optional. On your side, customers must use this service by default.

For 3-4 months we've been working on a new type of infrastructure for protection against DDoS attacks, which we named "VAC". (VAC as in vacuum cleaner
So let's be artistic here - the idea is passing a vacuum cleaner over incoming traffic from the internet to your services, extracting the bad packets but leaving the good packets intact.

VAC1, (currently in Alpha phase), has been installed in Roubaix. It's now working well enough for us to explain what OVH is going to
to offer, in terms of protection against DDoS attacks.

We are planning to launch the Beta version this week. On July 16th, we will explain the VAC service on our website and a new contract will be issued to provide the framework of this service. The objective is to be as transparent as possible and to provide you
with the highest guarantees.

Hardware
--------
VAC is a mitigation unit capable of cleaning up to 160Gbps/160Gbps traffic.
It consists of 2 routers: a CISCO ASR 9001 and a Cisco Nexus 7009. Overall, a VAC has 114 10G ports, or 1.14Tbps switching/routing capacity. For traffic cleaning we use 2 types of hardware: 4 Tilera each with 20Gbps (80Gbps) and 1 TMS 4000 of 30Gbps.

Software development on the Tileras is ensured by our internal team. It consists of low level C/C++ code, queue management and
algorithms that determine whether a packet is good or bad. TMS 4000 is a package with algorithms, developed by Arbor.
The traffic gets 'vacuumed up' on entering a datacentre, cleaned then directed towards the routers of the rooms.
In the case of VAC1, traffic is sucked up at the level of 2 main Roubaix routers, then subjected to 5 cleaning phases. Each
phase intelligently cleans up one type of attack, with the aim of significantly reducing the size of the attack, before passing the remainder onto the next phase. And so on and so forth.

Thanks to these 5 stages, we are capable of treating up to 160Gbps of attacks, whereas our competitors
buy an Arbor TMS 4000 package with 1 10G card and are only able to filter 10G max, which is basically nothing. If you receive
attacks exceeding this, the contract is breached and you have to find yourself a new hosting provider - this is where we step in, as we have no limits in terms of the size of attacks that we can manage.

Functionalities
---------------
A VAC enables us to provide you with the following services:
- a network firewall
- mitigation of DDoS attacks
- choice of mitigation type
- permanent mitigation
- detection of an attack and activation of the mitigation
- support to assist you in the event of an attack

A VAC also takes care of hoovering up any attacks that our network may generate. Sometimes customers are indeed hacked and their servers are then used to launch the attacks. When we detect these attacks, we suck them up with the VAC and then clean it, while waiting to determine which servers have been hacked so we can put them in rescue mode.

A VAC also participates in the fight against spam. The VAC will actually suck up and duplicate "the outgoing email traffic" of a datcentre (DC) in order to analyse it with anti-spam and antivirus programmes. We will be able to calculate the statistics on the amount of spam per SRC IP in our DCs, and then block an IP's SMTP traffic, when we believe that it is acting as a spammer.

A VAC is not for storage, it is a traffic analyser and thus it does not store emails. It simply analyses samples of the emails
leaving our DCs in real time.

In addition to vacuuming, the VAC also does the ironing ...nah, just kidding!

Redundancy
----------
The redundancy of a VAC is guaranteed by another VAC. By the end of August, we will be installing 3 VAC mitigation units in
3 locations:
- Strasbourg, France (SBG)
- Roubaix, France (RBX)
- Beauharnois, Canada (BHS)

The 3 VACs will function in parallel and each VAC will suck up the traffic nearest to it, in order to clean it, then it will inject it into the
internal network that we have set up between all the DCs. So an attack coming from Miami, FL will pass through BHS, where the VAC3 will clean it, then the traffic will enter the internal network. From BHS it will pass through GRA, through RBX to arrive, for example, in SBG at the server that is the victim of a DDoS attack.

The total capacity of our 3 VACs is 3 x 160Gbps, which is 480Gbps/480Mpps. It's the biggest known mitigation infrastructure that a
an infrastructure supplier has made available to their customers.

Consequences
-----------
The protection service is not limited in terms of the size, duration, nor the type of the attack. We know how to contain any attack and the objective for us is providing you with a service that will truly protect you on the day you are attacked.

The question is not so much "Do I need it?" but rather "Will it protect me when doomsday comes?"
Just last week, a customer contacted me urgently because their site had been attacked by some discontented kid. 3 clicks later, the attack passed through VAC1 and the site www.prestashop.com was back up again.

Everyday, we receive up to 1200 attacks and we protect 700 of you on average, not really the same everyday...

Service
-------
We will be offering three levels of service:

- By default and included in the price, the aim is to protect our infrastructure and the services of the customer as best we can. In order to properly protect an infrastructure against an attack, it is necessary to know what is running on the server, and then set up the right mitigation configuration. Without having human contact with the customer, we can only do our best. This is the level of service we will provide by default.

- With PRO usage, you will be able to tinker with and adapt the protection using the manager or APIv6. We will offer you
the following tools:
- the firewall network of 480Gbps with the possibility of adding 100 ACL lines by DST IP, which is an OVH innovation.
- the choice of several dozen mitigation types, including web, SMTP, game, teamspeek, streaming etc.
- permanent mitigation or attack detection with automatic VAC activation
- support will be provided via the following mailing-list: ddos@ml.ovh.net

- With VIP Support, you will have 24/7 human assistance with configuration + Someone to talk to in the event of an attack, to help you configure the protection to block the attack quickly and efficiently. The VIP team will ensure that the attack is monitored
24/7 and will adapt the protection if the attack changes.

Price
----
Throughout the Alpha phase, we communicated the fact that protection against DDoS attacks should be a service included in the price of a server, VPS, PCI, dedicated cloud or (available in France only) an ADSL connection.

We were very surprised to read the same question again and again: "How much will it cost?"

This made us think ...a lot.
After this thoughtful reflection process, we had 3 options:

- Doing the same as everyone else, which means offering an considerably expensive mitigation service, while stating that the mitigation capacity depends on the price and that in all cases there is a limit of 10Gbps or 20Gbps (!!), that there's also a limitation in the attack duration (!!), and then you have to pay more if you want more (!!). Basically, an on demand, overpriced and rather limited sevrice. This is standard business model of all our competitors and suppliers of mitigation solutions.

- Offering something cheap/adequate, which means investing in an infrastructure (we're talking €3M) and then not including the mitigation costs in the price of each service - simply offering it but with no figures related to mitigation, no teams to take care of it 24/7 and just hoping that it will be enough come doomsday.

- Sharing the costs of the VAC and the teams with all existing and future customers that we have on our infrastructure - this is the solution that we have chosen. In this scenario we're talking about a mandatory option for all existing dedicated servers, VPS and dedicated clouds. Since there are so many customers, the service price increase is very low as a result:
- VPS: +£0.50/month
- KS: +£1/month
- SP: +£1/month
- EG: +£2/month
- MG: +£2/month
- HG: +£3/month
- Dedicated Cloud: +£5/month
- Colocation (France only): +€10/month

This price increase for all existing and future servers will allow us to continue to invest and improve the infrastructure so that we can handle new attacks.

Prices will increase from September 1st 2013 for all existing servers. However, if you sign up for a whole year, then DDoS protection is included, so the service price does not change.

The increase is between +£0.50 and +£10 per month. It may seem low compared to the anti-DDoS service prices offered by our competitors. You may even say that we won't be able to provide a quality protection service against DDoS attack for such a low price. However, given the number of customers we have and the sharing of costs and investments, we feel totally comfortable with taking up the challenge of become the leading player in the protection against attacks, and of protecting against doomsday

Kind regards,

Octave