#How to prevent udp attack from OVH

Block the IP's in network firewall at your ovhcloud panel. Or the entire range.

so what if i block all ovh's ip?

Then report the IPs for DDoS

the accounts involved will be suspended if intentional

Why not?

just allow your gateway

can i block the netblock of ovh? I got it here

I'd only block abusive subnets

https://ipinfo.io/AS16276#block-ranges

that list includes ovhcloud stuff

not only customer ranges

so its more risky

just block as they happen

you can check which IP belongs to which range

and block the range

remember to report the IPs too

this way it gets more expensive and hard for the attacker

he will have to use resellers and the resellers will blacklist him as they also get banned.

eventually he is left with no means to gain ovhcloud services to use with attacks.

the reports also allows abuse team to learn new type of attack traffic

this will then get fingerprinted and added to automatic suspension list eventually.

hmmm

So if I block both, what happens?

And where can I get ovh's ddos ips

at worst your routing goes bad or you lose WAN. I guess it won't happen though. Just disable monitoring to avoid restarts.

tcpdump the attack traffic as it happens with automatic script

then view IPs with wireshark

from the dump file.

I will try blocking both, but when the worst happens, will the OVH team support me for free? Or do I have to pay to get it fixed?

U there?

If I block both my OVH vps ip is it still good? or do i need to leave that netblock out?

Just try it

remove if it fails

You can't really permanently ruin anything

just reverse the changes if it fails.

so the attack from OVH udp will not affect ?

Did I block correctly?

.

@uneven agate sorry for tag

plz rep me

You need to define source ip

otherwise it blocks everything

yes

i only allow port 25565 (minecraft) and block all

but

I mean

does it work when the attack is coming from OVH?

"ovh's antiddos" will "not work" when "attacking from OVH"

I would assume that it includes all traffic, as those are public IPs too. You could also specifically add the offending subnets with ipv4 rule if that above fails.

but I can only add up to 20 rules

bruh

hence you use 1.2.3.4/18

for example

to include entire subnet.

rule refuse ipv4 can it prevent udp attack from ovh?

rule ipv4 includes all protocols under ipv4

so it covers UDP, TCP

and so on.

so i'll try to block some of ovh's netbock

https://ipinfo.io/AS16276#block-ranges

Only if current settings fail you

And not random ranges, that would be useless

i know

setup automatic tcpdump

i try test

do you need script for that?

That allows you to record offending ip's

yes

This is what I use. https://github.com/Ikfes/AutomaticBashTCPDump

Its simple, and theres nothing extra

The code is less than 20 lines and easy to audit as long as you trust the packages it calls such as "tcpdump".

I run it in linux ?

and can it detect udp attack from OVH?

right?

It simply records x amount of network traffic in packets when the attack starts and is on peak

and writes the record to .pcap file

whichever is the attacker, you can see with wireshark

it also shows the attack types if you know how to read it further.

20k?

you mean

20,000kb = 20mb?

Read the description in github

PPS

as in network packets

You wish to know the offending subnets, and that script is a tool to record any traffic during the attack to help you determine them.

Its not limited to OVH

You can use it with any linux and it can record any ip.

ok

but important

Whether IPv4 can prevent it from the OVH attack or not is important

Firewall network will it work if ddosed from OVH?

https://www.ovhcloud.com/en-ie/security/anti-ddos/ddos-attack-mitigation/

You can find all information in here 🙂

and you can always change the configurations and try different settings if something is not immediately working for you.

i tried and it's ok

Can I ask you something

Is there a way to let it remove the optional ips?

like i don't want it to capture ip 123.123.123.123

that is irrelevant as it only captures about 1 second or less during the attack

20k packets is pretty fast captured if theres an ongoing attack

you can edit the command though and exclude or include only some stuff or protocols if you check tcpdump command examples

but I see no use in that myself

generally you'd browse to middle of the file in wireshark and look whats the most recurring stuff in the file.

and ignore rest to determine whats the attack about

Ok

Hi @uneven agate

Refuse Protocol IPv4 is to block all protocol like TCP, UDP, ICMP, AH, GRE, ESP, ..... right?

Plz rep me

Correct

You can use that as priority 19

and set allow rules to priority 0-18

this way it only allows what you set to 0-18

and blocks everything else with 19 rule

thank u so much

No problem 🙂

why OVH only allow set 20 rules

can i set more 20 rules?

Only 20 rules per IP is allowed for now

this may or may not change in future.

I do not know the reason myself, but if I had to guess, it has to do with performance. Your's IP is not the only one that has rules on it, and OVHCloud has millions of them with a lot of rules on many, and these rules are mirrored across the globe.

You can make best use of 20 rules fairly easy to achieve almost anything

You don't need to make many block rules in general. 1 is enough

Then have 19 rules for allowing whatever you need.

yes

i refuse all ipv4 priority 19

but the ddos ip will get in what i accept

ex: ip 123.123.123.123 attack port 25565 (i accepted port 25565)

and many other different ips

23.0000000

43.000000

...

Is it always single IP

or something else

How to report ip ovh ddos ?