Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


OVH Anti-DDOS Detecting WireGuard as DDOS?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

OVH Anti-DDOS Detecting WireGuard as DDOS?

I have an OVH VPS setup as a private WireGuard VPN server to tunnel my traffic. Every once in a while, the tunnel breaks and I get an email from OVH saying that an attack was detected on my VPS.

I highly doubt that this is someone actually attacking me since this server doesn't host much else and it seems to only happen when I'm connected to WireGuard.

Does anyone else have this problem, and if so has anyone figured out a way to fix this?

«1

Comments

  • NeoonNeoon Community Contributor, Veteran

    Are you 100% sure your wireguard tunnel is the issue and how so?
    How much traffic are you pulling through the wireguard tunnel at this time when OVH drops it?

  • @Neoon said:
    Are you 100% sure your wireguard tunnel is the issue and how so?
    How much traffic are you pulling through the wireguard tunnel at this time when OVH drops it?

    I don't run much else on the server beyond just a small web server so I don't think it's that. My best guess is that the entropy of the wireguard tunnel is tripping some kind of DDoS detection algorithm.

    I can pull at most 100mbps (that's the amount of bandwidth the VPS has) through the tunnel, my home internet is 150mbps. The drops are random and don't seem to be correlated with me pulling a lot of traffic, although that might be because it happens on a delay since when the attack was "detected" and when it's mitigated has from my understanding some amount of delay.

  • stefemanstefeman Member
    edited March 2021

    During attacks, UDP OpenVPN cannot exceed 30Mbps or it gets cut by OVH VAC. Some locations have as low limit as 8-15Mbps such as USA Reston.

    You need a TCP VPN with OVH. Wireguard can be run with TCP but its experimental.

    Thanked by 2ehhthing hanoi
  • CybrCybr Member

    WireGuard uses UDP and OVH falsely detects any large quantity of UDP packets from a single IP as a DDoS attack and blocks it. Good luck getting them to fix that.

    They block packets from my other servers, which prevents me from using more affordable providers like Hetzner. I'll be moving most of my servers away from OVH once I've secured better options.

  • @Cybr said:
    WireGuard uses UDP and OVH falsely detects any large quantity of UDP packets from a single IP as a DDoS attack and blocks it. Good luck getting them to fix that.

    They block packets from my other servers, which prevents me from using more affordable providers like Hetzner. I'll be moving most of my servers away from OVH once I've secured better options.

    Unfortunately, switching to another provider isn't feasible for me. My ISP has notorious issues with peering and transit, and OVH BHS seems to be my only choice when it comes to high bandwidth traffic, which is why I use it as a VPN in the first place.

    Are you aware of any method to whitelist a single IP to bypass VAC?

  • CybrCybr Member

    @ehhthing said:
    Unfortunately, switching to another provider isn't feasible for me. My ISP has notorious issues with peering and transit, and OVH BHS seems to be my only choice when it comes to high bandwidth traffic, which is why I use it as a VPN in the first place.

    It's hard to find networks which are as good, but if you look hard enough, you can probably find one at a similar price point that has good peering with your ISP. You have a lot more options if you don't need the DDoS protection.

    Are you aware of any method to whitelist a single IP to bypass VAC?

    This would have been enough to solve my issue but there is no way to do that. OVH will tell you to send them packet captures, but that's kinda hard to do while they are blocking the packets, and I have no confidence in them actually fixing their mitigation.

  • rm_rm_ IPv6 Advocate, Veteran
    edited March 2021

    Just tried running iperf over the WG tunnel to max out the bandwidth -- did not get any DDoS mitigation triggered. Tried both ways as well. Could be that in my DC (RBX) or on Kimsufi, the DDoS thresholds are different than for VPS.

    You could try switching your tunnel to use IPv6, I don't think they have any DDoS filtering on IPv6 at all.

    Thanked by 1ehhthing
  • @rm_ said:
    Just tried running iperf over the WG tunnel to max out the bandwidth -- did not get any DDoS mitigation triggered. Tried both ways as well. Could be that n my DC (RBX) or on Kimsufi, the DDoS thresholds are different than for VPS.

    You could try switching your tunnel to use IPv6, I don't think they have any DDoS filtering on IPv6 at all.

    I don't think its a bandwidth issue, I can often pull quite a lot of traffic over the WireGuard tunnel without problems over a long period of time. The dropouts seem to be random and not connected with the amount of bandwidth being used.

    My ISP doesn't provide IPv6 (hey, look another hallmark of a bad ISP).

  • rm_rm_ IPv6 Advocate, Veteran
    edited March 2021

    Did you try using various different UDP ports for the tunnel?

    Best would be to figure out some legit UDP program or service that's likely to generate a lot of traffic (and likely to have some lenience built into the VAC), and squat on that port. For instance, try port 1194 UDP (OpenVPN's standard port).

    Note that the DNS port 53 is unlikely to work better, as DDoS filters are likely to ratelimit DNS much more strictly than other UDP. But oh well, could still try that one and see what that does, who really knows with OVH.

    Thanked by 2ehhthing NanoG6
  • @rm_ said:
    Did you try using various different UDP ports for the tunnel?

    Best would be figure out some legit UDP program or service that's likely to generate a lot of traffic (and likely to have some lenience built into the VAC), and squat on that port. For instance, try port 1194 UDP (OpenVPN's standard port).

    Note that the DNS port 53 is unlikely to work better, as DDoS filters are likely to ratelimit DNS much more strictly than other UDP. But oh well, could still try that one and see what that does, who really knows with OVH.

    Yeah that's on my todo list. Thanks.

  • CybrCybr Member

    @rm_ said:
    Just tried running iperf over the WG tunnel to max out the bandwidth -- did not get any DDoS mitigation triggered. Tried both ways as well. Could be that in my DC (RBX) or on Kimsufi, the DDoS thresholds are different than for VPS.

    Was the tunnel connected to a server hosted on OVH? I know many VPN providers host on OVH. It would only be filtered if the connection is to a different network.

  • rm_rm_ IPv6 Advocate, Veteran
    edited March 2021

    @Cybr said: Was the tunnel connected to a server hosted on OVH? I know many VPN providers host on OVH. It would only be filtered if the connection is to a different network.

    Not just within OVH of course, I tested between OVH and Online.net.

  • CybrCybr Member

    @rm_ said:
    Not just within OVH of course, I tested between OVH and Online.net.

    Then it probably requires enough UDP connections to other IP addresses at the same time. I have users connected to UDP ports hosted at OVH at the same time. As soon as there's too much throughput to my Hetzner server, it would get filtered and OVH's system would notify me that there is an attack.

  • Experiencing the same issue. Not only with Wireguard, but also with other UDP applications. if OVH sees UDP traffic above >200/300 mbps, it will detect it as ddos.

    Using firewall will not work, so.. yeah.. For me the solution is to use multiple failover ips, and balance the traffic.

    Thanked by 1Cybr
  • So why not use a TCP VPN to replace WG? If you're using the VPN on Windows, you can easily setup a SSTP VPN server on your remote linux server.

  • Hello, I have the same problem, any one found a solution after all this time?

  • Quit OVH. They are clueless when it comes to networking (and woodworking)

  • I have no problems pulling 500 Mbs over Wireguard from/to an OVH dedicated server.

  • @stefeman said:
    During attacks, UDP OpenVPN cannot exceed 30Mbps or it gets cut by OVH VAC. Some locations have as low limit as 8-15Mbps such as USA Reston.

    That's a pity. I'm hoping that when QUIC gets mainstream, this limitation will be removed.

  • MrRadicMrRadic Patron Provider, Veteran

    @ehhthing said:

    @Cybr said:
    WireGuard uses UDP and OVH falsely detects any large quantity of UDP packets from a single IP as a DDoS attack and blocks it. Good luck getting them to fix that.

    They block packets from my other servers, which prevents me from using more affordable providers like Hetzner. I'll be moving most of my servers away from OVH once I've secured better options.

    Unfortunately, switching to another provider isn't feasible for me. My ISP has notorious issues with peering and transit, and OVH BHS seems to be my only choice when it comes to high bandwidth traffic, which is why I use it as a VPN in the first place.

    Are you aware of any method to whitelist a single IP to bypass VAC?

    Who's your ISP? It isn't tough to figure out other providers that have direct peering.

  • @Shot2 said: Quit OVH. They are clueless when it comes to networking (and woodworking)

    You made my day with that comment, brilliant!

  • WebProjectWebProject Host Rep, Veteran
    edited November 2021

    @Shot2 said:
    Quit OVH. They are clueless when it comes to networking (and woodworking)

    Unfortunately you are right if you do talk to their UK office, as according to their support it’s impossible to have various IPv4 range (example: 5.x.x.x, 152.x.x.x, 148.x.x.x and so on) on the same server, my response back was: are you sure? do you know anything about networking apart of Facebook 😂

    If you need any support with OVH try their US support as much better level of support you do get.

    Thanked by 1TimboJones
  • LowHostingLowHosting Member, Host Rep

    Switching to OpenVPN UDP (or TCP) will probably solve the problem, have you already tried?

  • Same problem but with reliablesite, GRE tunnel fixed the problem.

  • @MrRadic said:

    @ehhthing said:

    @Cybr said:
    WireGuard uses UDP and OVH falsely detects any large quantity of UDP packets from a single IP as a DDoS attack and blocks it. Good luck getting them to fix that.

    They block packets from my other servers, which prevents me from using more affordable providers like Hetzner. I'll be moving most of my servers away from OVH once I've secured better options.

    Unfortunately, switching to another provider isn't feasible for me. My ISP has notorious issues with peering and transit, and OVH BHS seems to be my only choice when it comes to high bandwidth traffic, which is why I use it as a VPN in the first place.

    Are you aware of any method to whitelist a single IP to bypass VAC?

    Who's your ISP? It isn't tough to figure out other providers that have direct peering.

    My situation has changed recently: my ISP has started to route more local traffic via TorIX so I can use Oracle Toronto instead which works great.

  • LowHostingLowHosting Member, Host Rep

    @ehhthing said:

    @MrRadic said:

    @ehhthing said:

    @Cybr said:
    WireGuard uses UDP and OVH falsely detects any large quantity of UDP packets from a single IP as a DDoS attack and blocks it. Good luck getting them to fix that.

    They block packets from my other servers, which prevents me from using more affordable providers like Hetzner. I'll be moving most of my servers away from OVH once I've secured better options.

    Unfortunately, switching to another provider isn't feasible for me. My ISP has notorious issues with peering and transit, and OVH BHS seems to be my only choice when it comes to high bandwidth traffic, which is why I use it as a VPN in the first place.

    Are you aware of any method to whitelist a single IP to bypass VAC?

    Who's your ISP? It isn't tough to figure out other providers that have direct peering.

    My situation has changed recently: my ISP has started to route more local traffic via TorIX so I can use Oracle Toronto instead which works great.

    Nice!

  • MrRadicMrRadic Patron Provider, Veteran

    @ShalaWorks said:
    Same problem but with reliablesite, GRE tunnel fixed the problem.

    We can typically whitelist the source.

  • jordynegen11jordynegen11 Member
    edited November 2021

    Just ask the OVH support to increase the UDP treshold for mitigation detection on your IP.
    Worked for me in the past.

    By default, if you go higher then xxx PPS, the OVH VAC will detect it as an attack.

  • LowHostingLowHosting Member, Host Rep

    @jordynegen11 said:
    Just ask the OVH support to increase the UDP treshold for mitigation detection on your IP.
    Worked for me in the past.

    By default, if you go higher then xxx PPS, the OVH VAC will detect it as an attack.

    Unfortunately, things have changed over the years, I have heard from many people that their support has become much much slower, but yes this can be a solution!

  • jordynegen11jordynegen11 Member
    edited November 2021

    @LowHosting said:

    @jordynegen11 said:
    Just ask the OVH support to increase the UDP treshold for mitigation detection on your IP.
    Worked for me in the past.

    By default, if you go higher then xxx PPS, the OVH VAC will detect it as an attack.

    Unfortunately, things have changed over the years, I have heard from many people that their support has become much much slower, but yes this can be a solution!

    They probably will help you with this question in a few days.

    It was always a nightmare at OVH and still is. We are using their business support now which if way faster, but of course it will cost you a fortune.

Sign In or Register to comment.