rssLink RSS for all categories
 
icon_red
icon_green
icon_red
icon_red
icon_blue
icon_green
icon_green
icon_red
icon_red
icon_red
icon_orange
icon_green
icon_green
icon_green
icon_green
icon_blue
icon_green
icon_orange
icon_red
icon_green
icon_red
icon_red
icon_green
icon_red
icon_red
icon_red
icon_red
icon_orange
icon_green
 

FS#1176 — FS#5183 — establishing protection against spoof

Attached to Project— Network
Maintenance
Whole Network
CLOSED
100%
We will establish the prtection againt the spoof of our IPs in internet networks.
Date:  Monday, 28 February 2011, 16:55PM
Reason for closing:  Done
Comment by OVH - Sunday, 27 February 2011, 12:53PM

An IT client (a hacker) has ordered 15 servers. They used
some servers to launch attacks and scans. It was
placed several times in "anti hack" (rescue) to protect our
network and the networks on Internet.

Until then there is nothing new. As usual.

One server 94.23.4.70 has been used to attack others
Hackers on the net. We received attacks on 94.23.4.70
We have put protections usually used by
24/24 teams to block these attacks.

Still nothing new.

As the blocks were very efficient and hackers who attacked
94.23.4.70 not satisfied with the result of their attacks, they
launched a spoofed attack from the Internet but with OVH IP
It's a (nice) way to get through the safety features
and automatic limitations of the traffic in case of attack. Since the packet initiated by an IP on the Internet (wherever) spoofing
the source 94.23.4.70 and the port 80 arrived on a dedicated server's IP
with OVH. This server (which did not request) responded to 94.23.4.70
on the port 80 "I did not ask anything, cancel the connection. By
launching this spoofing a massive manner, hackers launched provoked
the attack made by the ovh network to a victim IP 94.23.4.70:80.
This attack of 500Mbps has been launched on Friday, the 25th at about 20h.

OVH analyses the internal traffic and detects attacks and
then intervenes to block attacks. We have detected that
less than 300 servers with OVH launched an attack to 94.23.4.70
and we have reboot it on the rescue mode to protect the network.


In this very particular case, we have a false positive, and we have
restart tonight all the servers in normal status.

To avoid this flaw, we put additional protection on the incoming trafic
toward our network from the Internet.
It is not possible to send us packets coming from Ip sources
that belong to us. It's blocked. So the problem is fixed.

We are sorry for this inconveniences.

Just for information, all the dedicated servers on our network and
connected to our switches have the same type of protections,
that means , on every port of each switch, there is an access-list
with IP's that can send the trafic. We cannot use them to spoofe and send
this kind of attacks to the OVH Network or to Internet.



Comment by OVH - Sunday, 27 February 2011, 14:23PM

Some servers are still in rescue. We are checking one by one
the servers and checking its boot parameters in case of necessity.