Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
OVH Anti-DDOS Detecting WireGuard as DDOS?
New on LowEndTalk? Please Register and read our Community Rules.

OVH Anti-DDOS Detecting WireGuard as DDOS?

ehhthingehhthing Member

I have an OVH VPS setup as a private WireGuard VPN server to tunnel my traffic. Every once in a while, the tunnel breaks and I get an email from OVH saying that an attack was detected on my VPS.

I highly doubt that this is someone actually attacking me since this server doesn't host much else and it seems to only happen when I'm connected to WireGuard.

Does anyone else have this problem, and if so has anyone figured out a way to fix this?

Comments

  • NeoonNeoon Member

    Are you 100% sure your wireguard tunnel is the issue and how so?
    How much traffic are you pulling through the wireguard tunnel at this time when OVH drops it?

  • @Neoon said:
    Are you 100% sure your wireguard tunnel is the issue and how so?
    How much traffic are you pulling through the wireguard tunnel at this time when OVH drops it?

    I don't run much else on the server beyond just a small web server so I don't think it's that. My best guess is that the entropy of the wireguard tunnel is tripping some kind of DDoS detection algorithm.

    I can pull at most 100mbps (that's the amount of bandwidth the VPS has) through the tunnel, my home internet is 150mbps. The drops are random and don't seem to be correlated with me pulling a lot of traffic, although that might be because it happens on a delay since when the attack was "detected" and when it's mitigated has from my understanding some amount of delay.

  • stefemanstefeman Member
    edited March 27

    During attacks, UDP OpenVPN cannot exceed 30Mbps or it gets cut by OVH VAC. Some locations have as low limit as 8-15Mbps such as USA Reston.

    You need a TCP VPN with OVH. Wireguard can be run with TCP but its experimental.

    Thanked by 2ehhthing hanoi
  • CybrCybr Member

    WireGuard uses UDP and OVH falsely detects any large quantity of UDP packets from a single IP as a DDoS attack and blocks it. Good luck getting them to fix that.

    They block packets from my other servers, which prevents me from using more affordable providers like Hetzner. I'll be moving most of my servers away from OVH once I've secured better options.

  • @Cybr said:
    WireGuard uses UDP and OVH falsely detects any large quantity of UDP packets from a single IP as a DDoS attack and blocks it. Good luck getting them to fix that.

    They block packets from my other servers, which prevents me from using more affordable providers like Hetzner. I'll be moving most of my servers away from OVH once I've secured better options.

    Unfortunately, switching to another provider isn't feasible for me. My ISP has notorious issues with peering and transit, and OVH BHS seems to be my only choice when it comes to high bandwidth traffic, which is why I use it as a VPN in the first place.

    Are you aware of any method to whitelist a single IP to bypass VAC?

  • CybrCybr Member

    @ehhthing said:
    Unfortunately, switching to another provider isn't feasible for me. My ISP has notorious issues with peering and transit, and OVH BHS seems to be my only choice when it comes to high bandwidth traffic, which is why I use it as a VPN in the first place.

    It's hard to find networks which are as good, but if you look hard enough, you can probably find one at a similar price point that has good peering with your ISP. You have a lot more options if you don't need the DDoS protection.

    Are you aware of any method to whitelist a single IP to bypass VAC?

    This would have been enough to solve my issue but there is no way to do that. OVH will tell you to send them packet captures, but that's kinda hard to do while they are blocking the packets, and I have no confidence in them actually fixing their mitigation.

  • rm_rm_ Member
    edited March 27

    Just tried running iperf over the WG tunnel to max out the bandwidth -- did not get any DDoS mitigation triggered. Tried both ways as well. Could be that in my DC (RBX) or on Kimsufi, the DDoS thresholds are different than for VPS.

    You could try switching your tunnel to use IPv6, I don't think they have any DDoS filtering on IPv6 at all.

    Thanked by 1ehhthing
  • @rm_ said:
    Just tried running iperf over the WG tunnel to max out the bandwidth -- did not get any DDoS mitigation triggered. Tried both ways as well. Could be that n my DC (RBX) or on Kimsufi, the DDoS thresholds are different than for VPS.

    You could try switching your tunnel to use IPv6, I don't think they have any DDoS filtering on IPv6 at all.

    I don't think its a bandwidth issue, I can often pull quite a lot of traffic over the WireGuard tunnel without problems over a long period of time. The dropouts seem to be random and not connected with the amount of bandwidth being used.

    My ISP doesn't provide IPv6 (hey, look another hallmark of a bad ISP).

  • rm_rm_ Member
    edited March 27

    Did you try using various different UDP ports for the tunnel?

    Best would be to figure out some legit UDP program or service that's likely to generate a lot of traffic (and likely to have some lenience built into the VAC), and squat on that port. For instance, try port 1194 UDP (OpenVPN's standard port).

    Note that the DNS port 53 is unlikely to work better, as DDoS filters are likely to ratelimit DNS much more strictly than other UDP. But oh well, could still try that one and see what that does, who really knows with OVH.

    Thanked by 2ehhthing NanoG6
  • @rm_ said:
    Did you try using various different UDP ports for the tunnel?

    Best would be figure out some legit UDP program or service that's likely to generate a lot of traffic (and likely to have some lenience built into the VAC), and squat on that port. For instance, try port 1194 UDP (OpenVPN's standard port).

    Note that the DNS port 53 is unlikely to work better, as DDoS filters are likely to ratelimit DNS much more strictly than other UDP. But oh well, could still try that one and see what that does, who really knows with OVH.

    Yeah that's on my todo list. Thanks.

  • CybrCybr Member

    @rm_ said:
    Just tried running iperf over the WG tunnel to max out the bandwidth -- did not get any DDoS mitigation triggered. Tried both ways as well. Could be that in my DC (RBX) or on Kimsufi, the DDoS thresholds are different than for VPS.

    Was the tunnel connected to a server hosted on OVH? I know many VPN providers host on OVH. It would only be filtered if the connection is to a different network.

  • rm_rm_ Member
    edited March 27

    @Cybr said: Was the tunnel connected to a server hosted on OVH? I know many VPN providers host on OVH. It would only be filtered if the connection is to a different network.

    Not just within OVH of course, I tested between OVH and Online.net.

  • CybrCybr Member

    @rm_ said:
    Not just within OVH of course, I tested between OVH and Online.net.

    Then it probably requires enough UDP connections to other IP addresses at the same time. I have users connected to UDP ports hosted at OVH at the same time. As soon as there's too much throughput to my Hetzner server, it would get filtered and OVH's system would notify me that there is an attack.

  • Experiencing the same issue. Not only with Wireguard, but also with other UDP applications. if OVH sees UDP traffic above >200/300 mbps, it will detect it as ddos.

    Using firewall will not work, so.. yeah.. For me the solution is to use multiple failover ips, and balance the traffic.

    Thanked by 1Cybr
  • So why not use a TCP VPN to replace WG? If you're using the VPN on Windows, you can easily setup a SSTP VPN server on your remote linux server.

Sign In or Register to comment.