All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
OVH VPN: help with UDP Fragmentation?
Hello!
I have set up a few OpenVPN tunnels on my OVH servers successfully, and they work just fine in regular use. However, the reason I have created these in the first place is for a protected VPN against stress attacks.
The problem is, whenever I stress my server in order to test the VPN, it completely drops the tunnel and any outside connections using the VPN. I have contacted support, and they said VAC blindly drops any fragmented UDP traffic, and I believe this may be the issue. How would I go about avoiding fragmented UDP traffic without switching to TCP? I have never run into any issue like this before, so I am a little foreign to it. This VPN is used by clients mostly for online gaming (e.g. XBOX, PSN), and is unstable when it comes under attack.
Thanks!
Comments
You should look into the fragment option. As long as you keep this below the MTU for your connection no fragmentation should occur.
I've seen usage of "--fragment 0." Does this act as disabling fragmentation overall?
Highly unlikely. When you look at the docs:
a setting of zero doesn't even make sense. In short --fragment tells OpenVPN to fragment internally so the link doesn't have to.
So you basically DDoS your host?
UDP frag attacks are common for large scale attacks originating from either one or multiple higher-bandwidth nodes. You'd ideally disable "egress" UDP frag as explained earlier by @mksh. After setting "--fragment 1472" you should not be sending out nor receiving any frag packets anymore and thus shouldn't be in the list of blocked IPs on DDoS. Keep in mind though, the reason might not be frag at all. Any UDP traffic can be considered a DDoS and detecting a stateless protocol based on traffic patterns... is interesting.
Ouch how could i miss that. OP you moron...
The OVH network is such a massive infrastructure with 13 Tbps in total. Each attack is sucked into an isolated VAC (vacuum) mitigation system and does not affect any services whatsoever (except for my tunnel of course). There is nothing moronic about ethically stress testing a server you own, and have permission to do so on.
Yeah of course they have technical magic to make the packets vanish into thin air. Lame.
OVH gave you permission? Doubt it. I'd ask you to post the site you are using to run the tests (it isn't your own botnet isn't it?) so i can laugh at the super legitimate stress testing it offers but noone wants such shit here.
So it's… working as intended?
I suggest you research into how OVH handles their DDoS mitigation.
The tunnel itself works fine, however; when it falls under pressure (i.e. an attack of sorts) it completely disconnects itself and any other service using it. That is the main issue.
Says the guy that can't read the manual or knows how fragmentation works.
I'm almost certain you won't find a way to fix this, this is just how OVH works, you won't be able to prevent all attacks from causing the VPN port to drop some UDP traffic. Change to TCP, the overhead from it isn't too bad.
That's unfortunate. One of my mates somehow configured it onto his, but he may have another server than mine or another differentiating factor. Anyway, thanks for actually helping. I have tried to deter from TCP, but I guess i'll give it a shot.
I don't think you had the appropriate permission. Not only do you need permission from the target - which you might have had - but you also need permission from the source and intermediary networks.
You won't have had permission from OVH, their carriers or the host where the attack was launched from.
What you did was unethical and in most jurisdictions, illegal.
Didn't you know that OVH uses their timemachines and teleportation devices to send their techs to the attack sources to unplug their ethernet cables before the attack even happens? I am a bit unsure why they need so much capicity though as in the present (which is what matters i think) they are never going to be hit by anything.
Hello, I have the same problem and I'm wondering if someone found a fix
No worries, necromancer, you have only resurrected a thread from 2018.