All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
BuyVM incompetent DDoS protection setup
There is an issue with BuyVM, where traffic destined to protected subnets, from within the LAN, will skip past filtering. This means that sufficient SYN traffic can lead to your server becoming unusable. It doesn't matter what provider, skids will compromise a host for this.
Nearly all of the LET providers have a similar issue and it doesn't matter if there are filters setup on path.net/voxility's side. This is what efnet skids are abusing and I'd like to see it resolved. Easiest fix, of course, would be to force traffic destined to the subnets through the WAN.
Better solution, though, would be an isolated VLAN per host, for the DDoS protected IPs, where all traffic must pass through the WAN.
Oh, right, BuyVM has an awful path.net setup, where SYNPROXY doesn't establish connections properly... heh. OVH? Nope, skids just spoof the source address to be that of an OVH monitoring host.
Comments
Why do you expect a LAN to be filtered by the provider? Just use firewall rules.
Oh, an EFnetizen!
Uh, this will not work when the connection backlog is being filled to the brim. What if they compromise 2 hosts within the LAN to saturate the 1gbit/s link, too, with UDP traffic?
It doesn't matter if there are netfilter rules, you do realise?
The tiny one is persistent, gotta give him/her/them/weaselself credit where credit is due.
DDoS protection is a scam anyway. Just apply some of my specially formulated snake oil to the port and it will be filtered.
Paid DDOS Protection is lame, I just put a coffee filter over each network connection and call it a day. Filters pretty well.
Weasel, if you know so much make your own hosting // DDoS protection company or something, show em how it’s done
Hi tiny kunju
Hello to you too Weasel.
lmao wonder how many knows the meaning of that
You do? Nice.
I feel like LET could offer a training model for an AI from this douche.
Sooner or later those s and d words would come out
What is the benefit of singling out Francisco then?
More VLANs does not scale for VMs and would eat up more IPs at a quicker rate, forcing Francisco to charge higher prices.
Those animals are no joke. I had one attack me probably with rabies. That shit came out of nowhere and jumped on me. Trying to get that thing off is crazy. Even if you are manly enough your inner non existent woman start to surface and start screaming, specially if your soul was at peace when it happened. Holy shit man
Back in the day I'd have DDOS attacks on OVH from inside of the network, mitigation wouldn't work. It's definitely one of those things that will drive you to the end of your sanity, even though completely understandable that local traffic isn't routed outside and then back.
It’s still a thing at OVH, though maybe the GAME lineup addresses it. They talked about changing their routing many years ago to scrub inter server traffic but I’m sure they realized quickly that they do probably Tbits of internal traffic due to all the seed boxes.
Internal floods suck and for the time being we just have users send pcaps and we suspend quickly if we can verify it. People don’t like pissing away lots of cash to get a couple floods popped off.
Still, I think we will have a solution for this in the new year. We are almost certainly going to offer some “best effort on-net” mitigation at either no cost to all users, or do a very very small increase to all plans ($0.25/m to $1.00/m depending on plan size). Along with that will come a rebuild of how IPs are routed to the nodes. That change will make it that IPs in mitigation mode will be routed through our mitigation appliances, even for internal traffic.
Francisco
Use more IPs? LOL, you can just do an interface route, if you must, to reuse the same gateway IP over VLANs. Just filter out ARP, etc., traffic, too. You could definitely limit the VLAN's scope to the guest and the hypervisor host as well. This is clearly a half-arsed setup.
Well, thats Fran told!
Now go on, implement it at scale make it work with existing automation, and consider nothing else, by tomorrow if possible! oh and don't you disrupt any customers!
Would you like a GUI with that, Virtualizor/SolusVM user?
I think another possible way to address it (although this would have obvious issues) would be to just allow customers to block all internal traffic enitirely, minus any specific IPs they'd like to whitelist.
@ehhthing They can, in the OS firewall...
Why are you repeating this nonsense? It's obvious that netfilter will not help here. You do not seem to understand this, who is your handler?
If you know how to do it right and know which provider does, what are you getting from bitching about it here?
I am here to make a point about BuyVM having a shitty setup and while I have found a suitable host that has been able to cater to my needs for slightly more than what I was paying at BuyVM, this must be annoying for others.
LowEndTards
Something is better than nothing, especially with the latest in XDP/eBPF in Linux these days.
I'm not the one spouting off insults bro, nor do I complain to the public about a providers network. @Francisco responded, now please move on.
>just accept it
>cope and seethe
>give us your money oy vey
>repeating shit that corey ray barnhill says, doesn't realise that volumetric attacks will make this all useless
So, instead of reaching out in a support case or DMing Francisco with feedback on how to make his platform better, you decided it was much better to bitch about in attempt to drag his name through the mud.
Your point is taken either way, but given the presentation here, I highly doubt it will be given any priority.