Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Somewhat ironically, the large French hosting provider OVH was one of the largest sources of our attack and also a victim of a large scale NTP amplification attack around the same time.

And their own semi-official ntp server supports monlist with a hefty response

    $ ntpdc -c monlist ntp0.ovh.net

    remote address          port local address      count m ver rstr avgint  lstint
    ===============================================================================
    10.x.x.246             123 213.251.128.249      515 3 2      0     12       0
    10.x.x.248             123 213.251.128.249      396 3 2      0      7       0
    10.x.x.245             123 213.251.128.249      104 3 2      0     10       0
    212-x-x-101.rev.pon   123 213.251.128.249   178326 3 4      0      0       0
    sw.178.x.x.248-n5.f   123 213.251.128.249       12 3 2      0     12       0
    proxy.ovh.net          46863 213.251.128.249   252113 3 3      0      0       0
    v1.ovh.net             50733 213.251.128.249     2443 3 3      0      0       0
    a2.ovh.net             44965 213.251.128.249  3394192 3 3      0      0       0
    cross.rfid.ovh.net     33352 213.251.128.249    11823 3 3      0      0       0
    10.x.x.176             123 213.251.128.249     1865 3 2      0      4       0
    gw6.ovh.net              123 213.251.128.249     1476 3 4      0      3       0
    sw.5.x.x.248-n5.fr   123 213.251.128.249      361 3 2      0      2       0
    b6.ovh.net             40862 213.251.128.249     1095 3 3      0      4       0
    10.x.x.245             123 213.251.128.249      164 3 2      0      6       0
    10.x.x.211            123 213.251.128.249   314567 3 2      0      4       0
    .
    .
    .


I have a server hosted with OVH, they actually sent me a message a week or so ago advising me my server running a vulnerable version of NTP so that I could update it. I think they were even going to update it for me, but I went ahead and updated it myself anyway.

This was at least a week before the news of the big DDoS attack this week, so I'm surprised their own servers still had the vulnerable config/versions.


I have a server with OVH, but frankly I'm considering moving elsewhere after we've now been repeatedly hit by DOS from servers at OVH. It's fairly low grade, primitive SYN-flood attack that we easily knock back within minutes each time the attacker moves elsewhere (clearly he does not have access to many server resources, or he might have actually managed to muster enough simultaneous resources to do some damage; he's right this minutes wasting resources getting a SYN-flood from some no-name Russian hosting provider dropped by our firewall at a low enough rate that I can keep an eye on it live with tcpdump).

But while our colo provider was extremely responsive and started calling OVH and the other providers right away, and I also emailed evidence to OVH repeatedly, we were met with total silence. The other providers used reacted quickly. OVH let the servers continue to hammer us for days.

I'm seriously considering just dropping all their net blocks in our firewalls. We have next to no legitimate traffic originating there anyway.


FWIW large portions of ovh.com have been blackholed on my web server for persistent Wordpress comment spam to hosted sites.

Unfortunately, I can't blackhole their traffic on mail services, because IIRC some open source mailing lists use them.

OVH is not my favorite network.


They either turned it off or you are on the right side of a firewall ruleset.

PS: Why did you "X.X" out IPs from a RFC1918 address space?


Well, we're definitively not on s net block that OVH ought to give access to monlist:

ntpdc -c monlist ntp0.ovh.net | wc -l 602

Yikes.


Snort has detected the following against my server lately:

  EXPLOIT ntpdx overflow attempt




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: