All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
OVH will shut down your server if an abuse report is recieved.
I learned something new about OVH...
On Christmas Eve, one of our servers received an abuse report (typical for a hosting provider).
We typically action these reports within a couple of hours, but it seems now that OVH will immediately reboot your server into rescue mode once an abuse report is created.
I've never heard of any host performing this action other than suspending the network port.
I'm glad we're moving our services off their network.
Here's an extract from their support team:
The server will be rebooted into rescue mode if any abuse cases are reported. The abuse team will first reboot the server into rescue mode then email the customer to take necessary action to repair the server.
The abuse team will not request any permission from the customer to reboot the server into rescue mode if the server is reported for abuse cases.
TLDR: OVH will reboot your servers when they feel like it.
Comments
As far as I do understand this, your server was infected with malware or similar.
I would have shoot it into the face too.
OVH instead does put it into rescue.
May be worth checking your costumer accounts for malware... and signs of intrusion before OVH acts.
That's what support tells you when you got hit with amplified DDoS attack and someone sends an portscan abuse. I've had it happen quite a few times now, with different hosting providers.
What, no fucking way, makes no sense.
Except, your service can actually be used for an amplification attack when ddosed.
"Amplified" nodes can complain, I've had it happen before.
Some university in USA was hosting a shitty DNS service and complained that "I" portscanned their network or some shit.
There quite a few DDoS attack methods that can result in server suspension for "abuse" on popular hosting providers. Its wild shit but yea, nothing we can really do as long as providers are clueless on attack vectors and treat "abuse" reports like a big thing.
Yeah no.
When I used OVH they at most nulled the IP. Never touched the server.
Isn't it common knowledge never to use OVH for production?
Possibly a new policy, they did say it happened around Christmas.
e's an extract from their support team:
Do they even check the report if it's true or not?
"We have a new abuse case, make it into rescue mode and let's wait for the customer's reply."
They offer pretty good value outside of that
It makes plenty of sense, we actually deal with this quite often from the dipshits @ Hetzner. They have an automated abuse system, all someone has to do is spoof your IPs, and Hetzner will automatically respond with a "portscan/flood" notice to your abuse contact.
There was even one "stresser/booter" website that incorporated "abuse reports" as a DoS vector. They intentionally spoofed the victim IP toward Hetzner's network to generate multiple false positive abuse reports toward your ISP's abuse contacts, with the intent to have your ISP nullroute the victim address. (the website has since been seized by FBI)
I tried to address this with Hetzner months ago, but I'm not sure it's possible to reach any qualified employee at their company, you just get the level 1 tech support who aren't qualified to use a crayon.
I did a full write up on this here: https://lowendtalk.com/discussion/180973/prager-it-stefan-prager-absence-and-a-new-dos-vector-brought-to-you-by-hetzner
Just finished reading that. Pretty crazy situation, thanks for sharing and writing it up.
That's always been the case for us. I guess not anymore.
Decentralized internet, when?
Virtual Server Will Be Rebooted
..and how to clean/remove malware/infected files if ovh shuts down customer's server?
It is not shutdown. Only rebooted to rescue mode. Happened to me once long time ago without any warning or notification.
Rescue mode can mount your server data and do the investigation into issue.
Okay but that is a logic error, if you code that, into your abuse detection.
The IP comes from the outside but its within your network, that doesn't make sense, if the machine itself does not send any traffic that way.
I think you're misunderstanding what the original comment you replied to was saying. They were referencing reflection attacks, which is when an attacker spoofs the victim IP toward a service, to receive a amplified response toward the victim IP.
So to loop back to my Hetzner example, spoof multiple IPs that belong to Hetzner's ASN toward a public facing UDP service, eg. DNS, NTP, SRCDS, etc, and those legitimate services will respond to Hetzner's IPs, which would result in them sending an automated abuse complaint to your ISP. (even though there's not much you can do to prevent these types of attacks, as your public facing UDP services believe they are responding to a legitimate request from the victim IPs.)
This is super common with Valve/Source engine games.
Well that will do all of absolutely nothing to halt the real abuse in their network right now. The real abuse is coming from people spinning up cloud servers, spamming, deleting the server, and repeating. By the time the complaints roll in, that server is long gone. So if they're cracking down harder to tackle the real problems, this misses the mark completely.
Of course it does.
Requesting ID, maybe I would send, but also MY picture holding it?
That being said, I can understand automation in large providers as well as being gamed for a kind of "SWATing" type of DoS, i.e. force an automated abuse report in order to create an automated rescue mode.
This can only be solved by having smarter people coding the automation and, better yet, any kind of people with half a brain to see those reports and act only in case they hold water.
In many years this never happened to me, though.
I didn't read the whole post again.
But still, they didn't seem to keep in mind, that the abuse system based on that, could be exploited.
Welcome to the world.
You can't decide the source IP reliably with UDP. People should only report abuses on TCP which with 3-way handshaking effectively eliminates spoofed IP addresses.