infrastructure-roadmap icon indicating copy to clipboard operation
infrastructure-roadmap copied to clipboard

Published 20 hours ago verified publisher icon ovh

Ovh ddos protection cuts cloudflare traffic.

Open Gawnz1 opened this issue 11 months ago • 3 comments

Hello, not sure if this is the right title or place, but since it's DDoS related.

Explanation: I am a cloudflare and ovh user. While under attack or under high traffic coming from Cloudflare ips, OVH ddos protection is kicking in and rejecting the traffic and then the proxied site is offline. I know this is a default and logical behavior of the ddos system at ovh, but is there a way to tweak something or you to setup a higher limits for CF specially?

Gawnz1 avatar Mar 10 '24 00:03 Gawnz1

Hi, While browsing the internet, I saw your post. For example, after blocking IPv4/6, a feature like a button could be added to allow only Cloudflare IP blocks to be included in the OVH firewall's allow list. This would result in much cleaner traffic. At least the remaining traffic could be filtered through Cloudflare.

Thanks.

frhtslyn avatar Aug 01 '24 09:08 frhtslyn

I think that the problem is when OVH sets higher limits for Cloudflare ip ranges ipv4/ipv6 or whitelists them. Then the DDoSers start to hit with ips from Cloudflare ipv4/ipv6 range. This may be the biggest problem. A validation or something other is needed in that case, I am not sure.

@jslocinski, very sorry for the mention/tag. Should we use the Ipv6 instead of Ipv4 to not trigger the anti-ddos and to result in rate-limited cloudflare ips (proxied site offline). Is there anything at all that can be done? If we whitelist for example (ipv4) in the network edge firewall, will they be blocked like the case above, once a rate-limit or anti-ddos mitigation is activate?

For me, it seems that only Ipv6 is a possible solution for now.

Gawnz1 avatar Aug 11 '24 11:08 Gawnz1

For now, we there is no way to verify over a time the ownership of such external's IPs which would allow to treat them differently. We have tweaking in mind, but not available atm.

PS. workaround that some customers are using is to spread the traffic across more IPs in OVHcloud.

jslocinski avatar Aug 12 '24 07:08 jslocinski

@jslocinski,

For now, we there is no way to verify over a time the ownership of such external's IPs which would allow to treat them differently. We have tweaking in mind, but not available atm.

Is this "tweaking" or some other changes (which can help us to use the OVH services along with Cloudflare, without being cut by the Anti-DDOS/VAC/etc..) expected by the end of 2025?

axl303 avatar Oct 01 '24 11:10 axl303