OVH Community, your new community space.

Automated threats regarding a correctly configured ip failover


csc2ya
04-12-2014, 01:42
I've posted a message on their forums to hopefully make them aware of it.

heise
04-12-2014, 00:06
You may want to file a complain with Avast to update their software. It is reported here http://www.heise.de/security/artikel...k-2441448.html that new version of avast attacks own network to scan for vulnerabilities, which is pretty stupid on public ip addresses. They are not behind a router

csc2ya
03-12-2014, 23:29
I now have this resolved. I was asked what I was running on the VM....I told support (Neil) what I was running, and he suggested removing Avast, which I was using for anti-virus.

After removing that, he confirmed that the arp requests had stopped and I then realized the requests had started the same day I installed an update to avast, meaning that was the culprit.

I've now put AVG free on instead, and so far (fingers crossed), this appears to be working with no issues.

csc2ya
03-12-2014, 00:19
Quote Originally Posted by csc2ya
Original server ip is 5.196.64.71, hence the gateway above.
The gateway is set the same as the server.

I removed the original server ip, as I don't use it...I use my ripe block instead.

The MAC is different, but it is identical to what the ovh manager generated for that ip.

The IP was blocked a few moments ago....I unblocked it, and immediately recieved another warning e-mail.

I personally am convinced that something is broken on ovh's network that is causing this.

I'll try the suggestion of changing the subnet, followed by a reboot then changing it back....if that doesn't work, then i'll have to wait for however long OVH take to respond.

heise
02-12-2014, 23:18
Hi, shouldn't your server have an IP with 5.196.x.x?? Is IP Alias set correct on the server?? No idea about Windows.

Try setting netmask to 255.0.0.0, restart and then set back to 255.255.255.255. I can only think that Windows somehow is messing something up. Virtualbox is setup to use 02:00:00:2B:xx:xx as MAC? Beyond that, I have no idea, why it is not working.

csc2ya
02-12-2014, 20:07
The server ip configuration is:

http://demo.ovh.eu/en/41b81e45779e1a3f921f27a0e0983282/

The VM ip configuration is:

http://demo.ovh.eu/en/914829e5e1b10c61cb5fcc3b3b63f537/

I'm convinced either ovh have changed something, or these notifications are false, since i've been using that same configuration ever since I got the RIPE IP's with no issue up til now.

heise
02-12-2014, 19:20
I can fast see this becoming a battle between me and OVH with them constantly blocking the ip, and me then unblocking it.
That's a battle that I guess you will loose. They may eventually block the ip indefinitely or worse. Better check your configuration files, or post them here for use to give you feedback. Something has to be wrong, or your server wouldn't be sending out arp packages.

csc2ya
02-12-2014, 15:18
That confuses me....since nothing is configured with a 248 netmask at all. All the ripe ip's i'm using have .255 as the netmask.

I think i'm just going to leave it, and let OVH block it if they want to. Then i'll just unblock it, potentially starting a block/unblock war between me and OVH (if that's what they want).

I personally am convinced OVH have changed something and not told us.

Edit: I've just submitted a support ticket...if OVH can tell me what's wrong, I'll gladly correct it...if not, then this becomes a war.

rv9ufz
02-12-2014, 15:01
Hmm, looks like your server acts as the gateway and alias configured with 255.255.255.248 netmask...
Then the gateway occasionally sends who-has queries for the entire /29.

csc2ya
02-12-2014, 14:41
They did include samples of the arp requests:

The first time:

You will find below a sample of queries sent by your server:

------- EXTRACT OF REQUESTS -------

Mon Dec 1 00:00:11 2014 : arp who-has 46.112.235.114 tell 46.105.231.50
Mon Dec 1 00:00:12 2014 : arp who-has 46.112.235.113 tell 46.105.231.50
Mon Dec 1 00:00:12 2014 : arp who-has 46.112.235.115 tell 46.105.231.50
Mon Dec 1 00:00:12 2014 : arp who-has 46.112.235.116 tell 46.105.231.50
Mon Dec 1 00:00:12 2014 : arp who-has 46.112.235.114 tell 46.105.231.50
Mon Dec 1 00:00:12 2014 : arp who-has 46.112.235.117 tell 46.105.231.50
Mon Dec 1 00:00:13 2014 : arp who-has 46.112.235.115 tell 46.105.231.50
Mon Dec 1 00:00:13 2014 : arp who-has 46.112.235.116 tell 46.105.231.50
Mon Dec 1 00:00:13 2014 : arp who-has 46.112.235.118 tell 46.105.231.50
Mon Dec 1 00:00:13 2014 : arp who-has 46.112.235.117 tell 46.105.231.50

------- END OF EXTRACT -------
Second Time (where they also mentioned it being the last warning before blocking the ip):

------- EXTRACT OF REQUESTS -------

Tue Dec 2 00:00:02 2014 : arp who-has 46.115.159.6 tell 46.105.231.50
Tue Dec 2 00:00:02 2014 : arp who-has 46.115.159.3 tell 46.105.231.50
Tue Dec 2 00:00:02 2014 : arp who-has 46.115.159.5 tell 46.105.231.50
Tue Dec 2 00:00:02 2014 : arp who-has 46.115.159.7 tell 46.105.231.50
Tue Dec 2 00:00:03 2014 : arp who-has 46.115.159.4 tell 46.105.231.50
Tue Dec 2 00:00:03 2014 : arp who-has 46.115.159.6 tell 46.105.231.50
Tue Dec 2 00:00:03 2014 : arp who-has 46.115.159.8 tell 46.105.231.50
Tue Dec 2 00:00:03 2014 : arp who-has 46.115.159.5 tell 46.105.231.50
Tue Dec 2 00:00:03 2014 : arp who-has 46.115.159.7 tell 46.105.231.50
Tue Dec 2 00:00:03 2014 : arp who-has 46.115.159.9 tell 46.105.231.50

------- END OF EXTRACT -------
I know the gateway ip is definately correct (it's the same as the servers gateway). The VM was moved in the past, but I did make sure to change the gateway to match my server.

That's how I know my configuration is correct.

I can fast see this becoming a battle between me and OVH with them constantly blocking the ip, and me then unblocking it.

I wonder whether OVH have changed something and not told us.

DigitalDaz
02-12-2014, 10:08
That looks good, did they send you a sample of the bad arp requests?

Also, just double check your hosts IP again, I have moved a VM in the past and forgot to change the gateway, this then started generating bad arps.

csc2ya
02-12-2014, 00:21
I have a block of 8 ripe ip's routed to my server. 3 (sometimes 4) of these are in use.

2 are assigned to my server (I have removed the original ip from the interface configuration in windows).

A third is assigned to a windows 7 virtual machine running in virtualbox. The fourth is used for playing around with different os's (also in virtualbox).

Since yesterday, I have been receiving automated e-mails regarding the third ip being misconfigured. However, if it is misconfigured, it's been that way for well over a month without any warnings, and hence, I believe this message to be false.

I have obviously assigned a virtual mac to the ip, and am using the following network configuration in the vm:

ip: 46.105.231.50
subnet mask: 255.255.255.255
gateway: 5.196.64.254

Original server ip is 5.196.64.71, hence the gateway above.

Can anyone confirm whether this is correct?