Smaug, the brand new OVHcloud backbone network infrastructure (opens in new tab)

(ovh.com)

59 pointssm2i5y ago31 comments

31 comments

29 comments · 8 top-level

eric4smith5y ago· 8 in thread

OVH Hardware, support and pricing is GREAT! Buuuuutttttt...

Their firewall situation is not. Guess what, if you use the supplied firewall, any server from any other customer in the local NOC that your server is in, can connect to your server. They seem to be all "safely" behind the OVH firewall product.

You have to protect each server individually with its own in-machine firewall.

I don't want to automatically trust all other OVH customers.

At first I thought I was doing something wrong (more than a decade of setting up firewalls). But I did put in a support ticket and they confirmed this.

Maybe I'm wrong, maybe something I did not understand, but damn... If I'm not.... :-(

Avamander5y ago

> You have to protect each server individually with its own in-machine firewall.

That's the standard practice?

OVH's own firewall is for DDoS/DoS protection, not for fine-grained security, did I understand OVH's information incorrectly?

justinclift5y ago

Ouch. That probably means there's a metric shit tonne of VMs running Docker with open ports in their data centres.

Saying that because (by default) Docker screws with firewall rules on the VM when it starts up, to allow other hosts to communicate with the containers.

In other hosting environments, the workaround is to apply firewall rules to your VMs using the hosting infrastructure capabilities. eg separate to the iptables (etc) rules on each host

dylz5y ago

Yes. There are two different products: VAC, which is for DDoS protection, and general SDN firewall/security groups which is only OVHcloud (not dedicated servers).

In the most general case, it seems other customers can actually send DDoS/volumetric traffic toward you from within OVH and it doesn't get picked up.

jaywalk5y ago

That's not really even a firewall issue, just a very poorly configured network. Pretty shameful for a provider of their size.

KingOfCoders5y ago

Because I was thinking about OVHCloud, they dont have an VPN with private IPs? And load balancers like AWS/Digital Ocean?

drchiu5y ago

Can this be mitigated by using something like ufw and restricting the IP access?

dawnerd5y ago

Unless you use docker, then it doesn't really matter. Really have to make sure your docker containers are not exposing ports they shouldnt be.

1 more reply

brian_herman__5y ago

That is what the OP said to do in his post.

justinclift5y ago· 7 in thread

Just a reminder, from Wikipedia (https://en.wikipedia.org/wiki/OVH#Email_spam):

  As of November 2019, OVH is listed by The Spamhaus Project as the world's
  second worst Internet service provider for the proliferation of unsolicited bulk E-Mail

https://www.spamhaus.org/sbl/listings/ovh.net

Looking at the same list now, it recently seems to have added fraud, and many malware distribution entries too.

r1ch5y ago

This is like saying Google is the search engine with the most links to malware pages. 36 IPs is nothing given how big ovh is.

justinclift5y ago

Those entries aren't all singular IP addresses. Some are ranges (etc).

Picking one at random:

https://www.spamhaus.org/sbl/query/SBL492369

That's showing a fair number of IPs.

WarOnPrivacy5y ago

I can't speak to reports but I can testify about server logs. OVH IPs have been a top source of spam and attacks against my (US) (<10) servers for most of a decade. I'd add Digital Ocean to round out the top 2 list.

If a firewall goes offline for 60 seconds, I will get hammered from OVH/DO networks. Not exclusively but they're the standout kings. Just think Psychz networks, but scaled up.

I know OVH's size plays into that. But size here is less about the number of net blocks and more about their bureaucratic disinterest in abuse (common to larger hosts, inc hosts I like).

There are comparable sized hosts in the US (AWS, Azure) but when it comes to crapty traffic, OVH makes them look small and insignificant[1].

Unlike moderation at scale, known attacks are often qualifiable, detectable patterns. Can we please care enough to notice & maybe eventually, one day interrupt them?

[1]disclaimer: Spam from Google/Azure & malicious SMTP traffic from AWS totally dominated the first ½ of this year. IDK why. It's since died off - which differentiates them from OVH/DO.

intev5y ago

Is this the list you are referring to? https://www.spamhaus.org/statistics/networks/

Seems like OVH is not on it anymore.

justinclift5y ago

Cool. Sounds like they've put good effort into cleaning things up then. :)

speedgoose5y ago

It's the biggest European cloud provider.

bzb45y ago

That’s good, it means they won’t bother me about whatever I choose to host. Thanks for your recommendation!

cerberusgr5y ago· 3 in thread

I had the worst experience from a vps/dedicated hosting provider with OVH few years back, long story short I had a dedicated server with software raid, after a month, one of the disks failed I gave them all the details SN of the disk at fault etc, but apparently the removed the good disk and I lost the server, I asked them to put it back and they told me they had destroyed it, luckily I had backup. Lastly I asked for a refund they didn’t give anything back.

I moved to hetzner immediately, and I haven’t had such issues till today.

I know that you can’t expect much from cheap providers but OVH is extremely unprofessional in my experience.

imperialdrive5y ago

Amazon did about the same exact thing to me a while back, so you're not alone and it's not just cheap hosts that make that mistake as we spent 10k/mo on support alone. (AWS had EBS silently fail which is awful enough but then restored data from the 'bad leg' of the system and lost all. To this day I've never trusted them again - maybe I should get over it but, would you?

jjeaff5y ago

I can't imagine that any of the ebs recovery isn't fully automated now, if it wasn't then.

tluyben25y ago

Guess you were unlucky; I host with them since 2004 and it has been good with 100s of servers.

rubatuga5y ago· 1 in thread

Notice how there’s no info on IPv6. That’s because OVH has horrible support for IPv6 and requires non standard routes to be set because they don’t support router advertisements. They also rely on ND packets and not static routing for IPv6, and also block outgoing IPv6 packets if an incoming IPv6 address has not been established. I would avoid OVH.

stingraycharles5y ago

You’re being downvoted, but a hosting provider redesigning their core network infrastructure in 2020 without proper IPv6 support is really bad imho.

It’s unacceptable that all these (cloud) hosting providers collectively make ISPs look good.

jermier5y ago· 1 in thread

I miss OVH's old control panel. It was so nerdy and to-the-point, unlike their newer modern interface that heats up my CPU with boatloads of javascript, and adopts the 'flat' design pattern that has now permeated every site in existence.

jmnicolas5y ago

Yeah it seems every time I log in something has changed ...

netman215y ago· 1 in thread

What they describe sounds to me exactly like standard architecture for combining PoPs and peering with backbone providers. What am I missing?

cerberusgr5y ago

Nothing really, they were on worse designs for years and they came to a point that it couldn’t scale, so they had to come up with a new proper design

johnklos5y ago

OVH is an absolutely shitty company. I've seen a tremendous uptick of spam from OVH that they're happy to simply ignore. The same kind of spam using the same content, the same registration patterns and the same template have existed on their networks for many months in spite of constant abuse complaints.

I can't imagine why anyone would want to run anything on the same networks that OVH uses to host spammers and scammers.

And good luck talking to an actual human at OVH if something goes wrong.

sm2iOP5y ago

and their APAC backbone: http://weathermap.ovh.net/#apac with Singapore somewhat migrated to the new architecture

j / k navigate · click thread line to collapse

31 comments

29 comments · 8 top-level

eric4smith5y ago· 8 in thread

OVH Hardware, support and pricing is GREAT! Buuuuutttttt...

You have to protect each server individually with its own in-machine firewall.

I don't want to automatically trust all other OVH customers.

At first I thought I was doing something wrong (more than a decade of setting up firewalls). But I did put in a support ticket and they confirmed this.

Maybe I'm wrong, maybe something I did not understand, but damn... If I'm not.... :-(

Avamander5y ago

> You have to protect each server individually with its own in-machine firewall.

That's the standard practice?

OVH's own firewall is for DDoS/DoS protection, not for fine-grained security, did I understand OVH's information incorrectly?

justinclift5y ago

Ouch. That probably means there's a metric shit tonne of VMs running Docker with open ports in their data centres.

Saying that because (by default) Docker screws with firewall rules on the VM when it starts up, to allow other hosts to communicate with the containers.

In other hosting environments, the workaround is to apply firewall rules to your VMs using the hosting infrastructure capabilities. eg separate to the iptables (etc) rules on each host

dylz5y ago

Yes. There are two different products: VAC, which is for DDoS protection, and general SDN firewall/security groups which is only OVHcloud (not dedicated servers).

In the most general case, it seems other customers can actually send DDoS/volumetric traffic toward you from within OVH and it doesn't get picked up.

jaywalk5y ago

That's not really even a firewall issue, just a very poorly configured network. Pretty shameful for a provider of their size.

KingOfCoders5y ago

Because I was thinking about OVHCloud, they dont have an VPN with private IPs? And load balancers like AWS/Digital Ocean?

drchiu5y ago

Can this be mitigated by using something like ufw and restricting the IP access?

dawnerd5y ago

Unless you use docker, then it doesn't really matter. Really have to make sure your docker containers are not exposing ports they shouldnt be.

1 more reply

brian_herman__5y ago

That is what the OP said to do in his post.

justinclift5y ago· 7 in thread

Just a reminder, from Wikipedia (https://en.wikipedia.org/wiki/OVH#Email_spam):

  As of November 2019, OVH is listed by The Spamhaus Project as the world's
  second worst Internet service provider for the proliferation of unsolicited bulk E-Mail

https://www.spamhaus.org/sbl/listings/ovh.net

Looking at the same list now, it recently seems to have added fraud, and many malware distribution entries too.

r1ch5y ago

This is like saying Google is the search engine with the most links to malware pages. 36 IPs is nothing given how big ovh is.

justinclift5y ago

Those entries aren't all singular IP addresses. Some are ranges (etc).

Picking one at random:

https://www.spamhaus.org/sbl/query/SBL492369

That's showing a fair number of IPs.

WarOnPrivacy5y ago

If a firewall goes offline for 60 seconds, I will get hammered from OVH/DO networks. Not exclusively but they're the standout kings. Just think Psychz networks, but scaled up.

I know OVH's size plays into that. But size here is less about the number of net blocks and more about their bureaucratic disinterest in abuse (common to larger hosts, inc hosts I like).

There are comparable sized hosts in the US (AWS, Azure) but when it comes to crapty traffic, OVH makes them look small and insignificant[1].

Unlike moderation at scale, known attacks are often qualifiable, detectable patterns. Can we please care enough to notice & maybe eventually, one day interrupt them?

[1]disclaimer: Spam from Google/Azure & malicious SMTP traffic from AWS totally dominated the first ½ of this year. IDK why. It's since died off - which differentiates them from OVH/DO.

intev5y ago

Is this the list you are referring to? https://www.spamhaus.org/statistics/networks/

Seems like OVH is not on it anymore.

justinclift5y ago

Cool. Sounds like they've put good effort into cleaning things up then. :)

speedgoose5y ago

It's the biggest European cloud provider.

bzb45y ago

That’s good, it means they won’t bother me about whatever I choose to host. Thanks for your recommendation!

cerberusgr5y ago· 3 in thread

I moved to hetzner immediately, and I haven’t had such issues till today.

I know that you can’t expect much from cheap providers but OVH is extremely unprofessional in my experience.

imperialdrive5y ago

jjeaff5y ago

I can't imagine that any of the ebs recovery isn't fully automated now, if it wasn't then.

tluyben25y ago

Guess you were unlucky; I host with them since 2004 and it has been good with 100s of servers.

rubatuga5y ago· 1 in thread

stingraycharles5y ago

You’re being downvoted, but a hosting provider redesigning their core network infrastructure in 2020 without proper IPv6 support is really bad imho.

It’s unacceptable that all these (cloud) hosting providers collectively make ISPs look good.

jermier5y ago· 1 in thread

jmnicolas5y ago

Yeah it seems every time I log in something has changed ...

netman215y ago· 1 in thread

What they describe sounds to me exactly like standard architecture for combining PoPs and peering with backbone providers. What am I missing?

cerberusgr5y ago

Nothing really, they were on worse designs for years and they came to a point that it couldn’t scale, so they had to come up with a new proper design

johnklos5y ago

I can't imagine why anyone would want to run anything on the same networks that OVH uses to host spammers and scammers.

And good luck talking to an actual human at OVH if something goes wrong.

sm2iOP5y ago

and their APAC backbone: http://weathermap.ovh.net/#apac with Singapore somewhat migrated to the new architecture

j / k navigate · click thread line to collapse