Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Cloudflare Names OVH and Hetzner as Origins of DDOS Attack
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Comments

  • That certainly is news to me
    image

    Thanked by 1Frameworks
  • OVH uses for DDOS??? NO WAY

    Thanked by 1Frameworks
  • Shot2Shot2 Member

    @szymonp said:
    OVH uses for DDOS??? NO ROUTE

    FYP

    Thanked by 1maverickp
  • DonkeyDonkey Member

    No surprise about ovh 🤣

  • yeah what about it is surprising
    everyone knows that OVH and Hetzner is shit at abuse and everyone DDoS' the whole internet with them.

  • risharderisharde Patron Provider, Veteran

    Strange that they don't have outgoing hardware to keep an eye on potential abuses.

  • mhnmhn Member
    edited June 2022

    @risharde said:
    Strange that they don't have outgoing hardware to keep an eye on potential abuses.

    They keep an eye on potential abuses. But they block more legitimate traffic than abuse.

    Thanked by 1risharde
  • SplitIceSplitIce Member, Host Rep

    Hetzner suprises me, they have always been quick to whack senders I've reported (with GMT timestamps, ips and usually pcaps / flows).

    OVH on the other hand I've never heard back from.... and allow spoofing in certain locations.

  • AXYZEAXYZE Member

    @SplitIce said:
    Hetzner suprises me, they have always been quick to whack senders I've reported (with GMT timestamps, ips and usually pcaps / flows).

    OVH on the other hand I've never heard back from.... and allow spoofing in certain locations.

    Which ASNs are the most problematic for you?

  • SplitIceSplitIce Member, Host Rep

    Which ASNs are the most problematic for you?

    The ones that don't respond to abuse reports and/or allow spoofing (those are particularly hard to identify out of IX). And then those in more expensive regions that do either of those.

    But sorry, I'm not providing that in a list for potential attackers.

    Thanked by 1AXYZE
  • sotssots Member
    edited June 2022

    [deleted]

  • JasonMJasonM Member

    I understand OVH to be one of the major origins of spam, ddos, abuse etc. Nothing new in that. everyone knows it.
    but Hetzner?

  • LeviLevi Member

    Many providers does not utilize proactive measures for abuse. If you lease server with GigE pipe and are within that limit - why they should care? If care, than we are in a lot of trouble with privacy, because DPI is not good for business...

    Thanked by 1jar
  • Everyone knows about OVH, we are in the same market, our email boxes are filled with their ips all day but I do not think Hetzer is one of the abusers here, they have really proactive measures to keep the bad guys out and they always reply to my abuse requests in comparison to OVH. Sometimes I feel bad for people selfhosting openvpn with OVH, captchas all day 100% xD. About what @SplitIce said, I have seen some CAIDA reports about it but never experienced it with my own eyes... so yeah..

  • stefemanstefeman Member
    edited July 2022

    Cloudflare is well protected even against multiple terabits per second UDP floods.

    Only way for the attacker to forcefully take down the website, is to load the webserver origin over the CDN with legitmate uncached requests as pure L4 flood would never reach to the origin servers of the website.

    So only way left is to use L7 attacks, or legitmate HTTP/HTTPS requests to spam the site.

    There are 2 ways to do it.

    1. Using infected computers and their networks. (botnets)
    2. Using a dedicated server(s) with huge proxylists. (dedicated resources via proxies)

    Apparently, in this case, the attackers were using the second option.

    Luckily for us, the amount of public proxies available has gone down by 90% since pandemic and ukraine war.

    Unluckily for us, due to this, all paid proxy seller websites have moved to "rotating proxies" or "datacenter proxies" which is basically a gateway IP to a backend service that uses random IP at every request via the gateway proxy. (Harder for the IPs to leak and get blacklisted by everyone).

    OVH is generally the most popular choice due to "free" IP costs after activation for these proxy providers.

    This is also why most of the L7 DDoS attacks which Cloudflare sees are from OVH IPs. These are all proxy IPs or infected servers.

    Also, here is another worrying trend which can be integrated into attacks. https://github.com/QIN2DIM/hcaptcha-challenger

  • LeviLevi Member
    edited July 2022

    @stefeman said:
    Cloudflare is well protected even against multiple terabits per second UDP floods.

    Only way for the attacker to forcefully take down the website, is to load the webserver with legitmate requests as pure L4 flood will never reach to the origin servers.

    So only way left is to use L7 attacks, or legitmate HTTP/HTTPS requests to spam the site.

    There are 2 ways to do it.

    1. Using infected computers and their networks. (botnets)
    2. Using a dedicated server(s) with huge proxylists. (Dedicated resources via proxies)

    Apparently, in this case, the attackers were using the second option.

    Luckily for us, the amount of public proxies available has gone down by 90% since pandemic and ukraine war.

    Unluckily for us, due to this, all paid proxy seller websites have moved to "rotating proxies" or "datacenter proxies" which is basically a gateway IP to a backend service that uses random IP at every request via the gateway proxy.

    OVH is generally the most popular choice due to "free" IP costs after activation for these proxy providers.

    This is also why most of the L7 DDoS attacks which Cloudflare sees are from OVH IPs. These are all proxy IPs or infected servers.

    News from the proxy world: https://krebsonsecurity.com/2022/06/meet-the-administrators-of-the-rsocks-proxy-botnet/ + related: https://krebsonsecurity.com/2022/06/the-link-between-awm-proxy-the-glupteba-botnet/

    So, CF has a massive headache to differentiate traffic and do not overblock legit one. How to do this when ultra massive lists of residential IPs are used... it is beyond my imagination.

  • ArkasArkas Moderator

    OVH I understand, but Hetzner not so much. As others have mentioned, they respond very fast when you report an abuse originating from them. Oh well, you learn something new everyday.

Sign In or Register to comment.