Re: [tor-relays] OVH Mitigation

Subject: Re: [tor-relays] OVH Mitigation

From: Ben Tasker <ben@xxxxxxxxxxxxxxx>

Date: Thu, 10 Sep 2020 08:58:40 +0100

Delivery-date: Thu, 10 Sep 2020 06:17:01 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bentasker.co.uk; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=xcNE6gHnS4O2qUaiEe5MgpDyoav126NWB7irtDVM2x4=; b=PTDtrDIDl0LbysNE1Xid1bwzSKibcMPUmbn/XYFwjcM/Pe7LHLHvenDfwAa8vlAw08 6Qw24IDbkcp9EAmBhXVbWd+xZ7+k+FApFA5v/vrTn2Yg5FjtzSMXZXH1ubWNDxGyg6NH mk7V1dfmHK9wCItWpGAvXmwsBReVBvJ5Qu7Yw=

In-reply-to: <006901d68698$784ab040$68e010c0$@bulger.co.uk>

List-archive: <http://lists.torproject.org/pipermail/tor-relays/>

List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>

List-id: "support and questions about running Tor relays $exit, non-exit, bridge$" <tor-relays.lists.torproject.org>

List-post: <mailto:tor-relays@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>

References: <006901d68698$784ab040$68e010c0$@bulger.co.uk>

Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

On Thu, Sep 10, 2020 at 8:48 AM Dr Gerard Bulger <gerard@xxxxxxxxxxxx> wrote:

I know we should dilute our dependence on OVH, but cheap and seem to ignore the fact the machine is an exit node.

OVH has a seemingly patented a system to deal with denial of service attacks. I am not sure what they detect but when they do we get this:

“We have just detected an attack on IP address x.x.x.x. In order to protect your infrastructure, we vacuumed up your traffic onto our mitigation infrastructure. The entire attack will thus be filtered by our infrastructure, and only legitimate traffic will reach your servers. At the end of the attack, your infrastructure will be immediately withdrawn from the mitigation”

I have a server (not a relay) with OVH, and also started receiving these recently. I raised a ticket with them to ask for more information about the detected attack (what port/proto etc) because there are legitimate uses that may look a bit like an attack (the boxes sit behind a CDN, so you can end up with a lot of requests/connections from not may IPs)

Worryingly, they couldn't actually tell me - all I managed to get back was "looks like it's a false positive". It's triggered a few times since, with no sign of anything even remotely suspicious in my traffic graphs.

I know this doesn't really add much knowledge about what they're detecting, but the point is more that they don't seem to be overly clear themselves

Ben Tasker
https://www.bentasker.co.uk

_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:

[tor-relays] OVH Mitigation
- From: Dr Gerard Bulger