undefined | Better HN

0 pointstreesknees2y ago0 comments

I'd consider it mostly protected, because no their servers are not on OVH, just a single box performing front-facing NAT/proxy essentially. The attacker now just needs to find the "secret" production subnet and attack it directly instead of through the front-facing NAT addresses.

0 comments

3 comments · 2 top-level

bombcar2y ago· 1 in thread

That is very easy to mitigate, because you null route the production subnet except for a VPN that only can be reached by the proxy. You can even VPN over a completely different IPv6 route.

They could still try to knock your entire datacenter offline but that is much harder.

treeskneesOP2y ago

That's not much harder, that's exactly what happened to them in the initial attack.

You're still depending on either a "secret" IPv6 network, or your upstream provider performing some source-based routing to only route packets from the VPN connection. I doubt that's available to a simple colo customer.

frakkingcylons2y ago

That's true. I guess it'd be more accurate to say they're on OVH's network, not necessarily their compute and other infrastructure.

j / k navigate · click thread line to collapse