We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

protection against spoof


oles@ovh.net
02-27-2011, 09:56 AM
Hello,
We have improved protection against attacks to our network and in particular the spoofed attacks made with our IPs but coming from the Internet. Now this type of attack has been blocked.

This fixes the problem of anti-hack that about 300 customers had received since Friday night. All these servers are now in normal operating condition.

Sorry for the incovenience.

Regards
Octave

More:
http://status.ovh-hosting.fi/?do=details&id=1176

-------------------------------------------------- ---------------

An IT client (a hacker) had ordered 15 servers. They used
some servers to launch attacks and scans. It was
placed several times in "anti hack" (rescue) to protect our
network and the networks on Intenet.

Up till here there is nothing new. Just as usual.

One of the servers 94.23.4.70 has been used to attack other
hackers on the net. So we have received attacks on 94.23.4.70
We have used the protections customarily used by our 24/7 team
to block these attacks.

Still nothing new.

As the blocks were very efficient and hackers who attacked
94.23.4.70 were not satisfied with the result of their attack, they
launched a spoofed attack but with their IP from
OVH. It's a (nice) way to get through the security
and automatic limitations of traffic in case of an attack. Because
the packet initiated by an IP on the Internet (that can be whichever) by spoofing
the source 94.23.4.70 and the port 80 arrived on a dedicated server at OVH.
This server (which did not ask for anything) responded to 94.23.4.70
on port 80 "I did not ask you for anything, cancel the connection." In
launching this massive spoof, the hackers launched
the attack made with the OVH network to an IP victim 94.23.4.70:80.
This attack of 500Mbps was launched on Friday 25th around 8pm.

OVH analyzes traffic in the internal network, detects the attacks and
intervenes to block the attacks. We have detected a little
less than 300 servers at OVH launched an attack to 94.23.4.70
and we have switched them to rescue mode to protect the network.

This particular caseis a false alarm
and this night we have switched all these servers back to normal state.

To avoid this flaw, we have added aditional protection
on incoming traffic to our network from the Internet. It
is no longer possible to send us packets from our own IPs.
It has been blocked. The problem is fixed.

Sorry for the inconvenience.

In parallel, for your information, all of our dedicated servers in
our network connected to our switches have the same type of protections
i.e. they cannot initiate traffic with an other IP than with those that
are allocated on the server (the switch port). Basicly on
each port of each switch there is an access-list with the IPs that
can send traffic. They cannot be used for spoofing and sending this
kind of attack to the OVH's network or to the Internet.