OVH Hosting – Web Security Headache

OVH Hosting – Web Security Headache

** Update – 7/10/2018 – The relentless connections have never stopped, not even for a moment. We’ve seen over 398k connections from these hosts, and they don’t realize its the same blog page over and over, how intelligent! I’ve updated OVH via an abuse ticket over 50 times with totals, and summaries. They have never responded to my inquiries. I’ve never seen action taken on an abuse ticket out of at least 5 opened on various malware, phishing, and other attacks out on the internet.

** Update – 4/6/2018 – We’ve received 125,027 connections from this provider since the blog was posted. A block by ARIN name helps us cover more space, so OVH Hosting, Inc, and OVH SAS are completely blocked from our websites.

Why do Canadians love the Infostruction blog so much? This is a question I set out to answer after looking at our Web Application Firewall (WAF) logs over the past 48-hours, and beyond. I’ve got 60k connections from 39 different IPs that belong to OVH Hosting Inc, all hailing from Canada. I let them know about this issue back when it started and blocked all of the networks owned by this company. Since then, it’s been a constant flood of connections from OVH, and no response from the security/abuse team. I don’t expect one, so I’m writing here to warn you, if you see a large number of connections, we recommend blocking the IPs below at a minimum. The real problem comes with the volume and the fact that they are relentless, never stopping to rest. These connections come 24x7x365 and look like some sort of crawler, or scraper. The issue is they do not present a legitimate user-agent for that kind of bot, and so we have no idea why they are accessing all of the content repeatedly, for days on end.

OVH Hosting, please end this relentless assault on our web server. None of it is getting anywhere, and the global CDN/WAF is blocking every connection from these hosts, so they never reach the website’s real systems. It’s just blowing all of the data off my log for other connections I should be looking at instead. Stop wasting my time, and attack something else. You’ve got the idea for inbound attacks, now start protecting the internet FROM your clients, not just your clients from the internet.

Organization: OVH Hosting Inc. (aka OVH SAS)
Geolocation: Canada
Connections: 15,050 (48hr)

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.1 Safari/603.1.30
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0

IP Addresses: