I know we should dilute our dependence on OVH, but cheap and seem to ignore the fact the machine is an exit node.
OVH has a seemingly patented a system to deal with denial of service attacks. I am not sure what they detect but when they do we get this:
"We have just detected an attack on IP address x.x.x.x. In order to protect your infrastructure, we vacuumed up your traffic onto our mitigation infrastructure. The entire attack will thus be filtered by our infrastructure, and only legitimate traffic will reach your servers. At the end of the attack, your infrastructure will be immediately withdrawn from the mitigation"
To be fair, the automated system takes it off after an our or two. If my tor server is left in this mitigated state, the tor exit gets labelled a BAD EXIT which is something to avoid as takes days to be trusted again. As soon as I get their email I now stop TOR to prevent that embarrassing label, and perhaps doing so stops whatever it is OVH is detecting. Being shutdown for a few hours seems better than being a bad exit.
Gerry
On Thu, Sep 10, 2020 at 8:48 AM Dr Gerard Bulger gerard@bulger.co.uk wrote:
I know we should dilute our dependence on OVH, but cheap and seem to ignore the fact the machine is an exit node.
OVH has a seemingly patented a system to deal with denial of service attacks. I am not sure what they detect but when they do we get this:
*“We have just detected an attack on IP address x.x.x.x. In order to protect your infrastructure, we vacuumed up your traffic onto our mitigation infrastructure. The entire attack will thus be filtered by our infrastructure, and only legitimate traffic will reach your servers. At the end of the attack, your infrastructure will be immediately withdrawn from the mitigation”*
I have a server (not a relay) with OVH, and also started receiving these recently. I raised a ticket with them to ask for more information about the detected attack (what port/proto etc) because there are legitimate uses that may look a bit like an attack (the boxes sit behind a CDN, so you can end up with a lot of requests/connections from not may IPs)
Worryingly, they couldn't actually tell me - all I managed to get back was "looks like it's a false positive". It's triggered a few times since, with no sign of anything even remotely suspicious in my traffic graphs.
I know this doesn't really add much knowledge about what they're detecting, but the point is more that they don't seem to be overly clear themselves
On Wed, Sep 09, 2020 at 12:00:37PM +0100, Dr Gerard Bulger wrote:
To be fair, the automated system takes it off after an our or two. If my tor server is left in this mitigated state, the tor exit gets labelled a BAD EXIT which is something to avoid as takes days to be trusted again.
Can you point us to which relay this happened to, and an approximate timestamp?
We don't badexit that many relays these days, so I am wondering if something else is going on instead.
Thanks, --Roger
tor-relays@lists.torproject.org
-
Ben Tasker -
Dr Gerard Bulger -
Roger Dingledine