Second large Hetzner outage in a week caused by DDoS attack (opens in new tab)

(status.hetzner.com)

83 pointsxmpir3y ago53 comments

53 comments

I thought OVH and Hetzner were the source of a ton of these DDoS attacks. Their IP ranges always seem to be in abuse logs.

Cloudflare write in a recent attack:

The top networks included the German provider Hetzner Online GmbH (Autonomous System Number 24940), Azteca Comunicaciones Colombia (ASN 262186), OVH in France (ASN 16276), as well as other cloud providers.

https://blog.cloudflare.com/15m-rps-ddos-attack/

mike_d3y ago

Hetzner operates a 5-10 Tbps network, roughly the same traffic volume as all of Spectrum/Charter Communications (the 2nd largest cable company in the US). They show up everywhere because they are a big part of the internet.

A wise network operator once told me - never shit on people when they are under attack. Because in the not too distant future you are going to be the victim.

onphonenow3y ago

Umm.. AWS and GCP and friends dwarf these guys, but I zee Hetzner, OVH and DigitalOcean in these things.

2 more replies

CircleSpokes3y ago

I mean that makes sense no? Attacks like that rely on compromised servers so it shouldn't be a big surprise large hosting provides are among the biggest attackers. Other large ISPs like digital ocean and Alibaba are among the top attackers in that attack also.

I assume this attack is UDP based unlike the one you linked too.

onphonenow3y ago

Where are the AWS and GCP ranges then?

They aren't even in the top 10 here. Its the claim hetzner is larger than AWS? I find that highly unlikely.

1 more reply

ricardobeat3y ago

At their size, don’t they have some kind of hardware-level packet filtering ability like cloudflare to protect against these attacks?

rstupek3y ago

Not if the level of incoming bandwidth exceeds the available bandwidth of the circuits involved.. you can't filter it when the link is saturated. Cloudflare uses other techniques like global distribution so aggregate bandwidth is higher than the attack bandwidth

pigtailgirl3y ago

does anyone else have a network that can do what Cloudflare can do? seems like magic sometimes.

3 more replies

booi3y ago

This depends on what type of attack it is. If it's volumetric, no amount of packet filtering is going to help you. If it's protocol-level attack then yes, some form of high performance WAF will be helpful if you have the filtering capacity.

Likely the attack isn't an overwhelming volumetric attack as I assume they have some fat pipes and big routers, but there's likely a bottleneck somewhere in their network.

xmpirOP3y ago

They state using hardware DDoS protection but it seems not to be sufficient: https://www.hetzner.com/unternehmen/ddos-schutz

Thaxll3y ago

Compared to OVH their network / DC are very small, also their DDoS protection is inferior.

xmpirOP3y ago

I am wondering what the attacker's intent is

belter3y ago

Retribution :-)

xmpirOP3y ago

Last time it took about 9 hours: https://status.hetzner.com/incident/129728ce-ba25-49b6-96cc-...

davidtinker3y ago

Anyone know if it is possible to mitigate the impact of Hetzner blocking UDP traffic on port 9000+? These outages whacked our Kubernetes clusters (Calico + vxlan + Wireguard). https://serverfault.com/questions/1100482/how-to-limit-udp-p...

ffhhj3y ago

Excuse the ignorance, but couldn't ISPs block the attacks?

vardagsnyttt3y ago

That would make sense, but its hard:

- You need to identify the traffic to be filtered and the post states: "Due to always different destinations (IPs, ports, packet size) (..)"

- You need to maintain some agreement with a large number of ISPs

- You need to maintain some gossiping infrastructure to these ISPs

- ISPs may not care about your DDoS attack

mike_d3y ago

Yes, network operators (should) participate in centralized black hole services like UTRS[1]. If you can identify the specific IPs that are under attack you make a BGP announcement to other participating networks asking them to drop traffic to that IP within their networks.

As a participant you can avoid paying to send outbound attack traffic, and also identify attack sources within your own network.

1. https://team-cymru.com/community-services/utrs/

_-david-_3y ago

>This concerns UDP traffic on port 9000-65535.

Does anybody know what usually runs on those ports?

deathanatos3y ago

That's 56,536 different ports. Half of everything (that uses UDP), more or less.

ascar3y ago

I would expect 95%+ of TCP traffic to run on 22 (ssh), 25(smtp), 53(dns), 80(http), 443(https) plus another handful of lower than 1000 ports. Even common dev ports (3000,5000,8080) are below 9000. I don't think that's much different for UDP. Even most games probably rely on something <10,000.

1 more reply

tiffanyh3y ago

I think games.

Hetzner is a popular host for game servers.

scottlamb3y ago

Besides games, I think many AV things, including VOIP and perhaps WebRTC (definitely UDP, less sure about port number). Possibly also HTTP/3; the server picks the UDP port number IIUC.

lordnacho3y ago

Isn't it most things that aren't a well-known service?

melolife3y ago

It's interesting that 9000 is the starting port for Ethereum consensus clients, although the participation rate does not seem to be affected.

sascha_sl3y ago

Source ports of DNS reflection attacks, presumably.

rozenmd3y ago

Online games (MMOs, shooters, etc) come to mind

baisq3y ago

MMOs over UDP?

3 more replies

xmpirOP3y ago

I fear e.g. wireguard is affected.

walrus013y ago

[spiderman-pointing-at-spiderman.gif]

seriously, aren't they commonly the SOURCE of many DoS attacks...

any hosting provider where some random person on the internet and $5 of credit on a prepaid visa card will have this problem.

missedthecue3y ago

Hetzner requires government ID to open an account

Dma54rhs3y ago

Since when? I've never provided them an ID and neither have they asked later.

1 more reply

MrStonedOne3y ago

There is also the annoying confusion that some attacks involve spoofing the victim's ip to other hosts so the reply goes to the victim while masking the attacker's ip(s).

unnouinceput3y ago

Maybe, just maybe, rely less on embedded framework on embedded framework that spit JavaScript that gets 95% unused. If for a simple outage apology page the output was 1.7MB, I can only imagine for their normal pages how much it is. At this size I feel only like 10k legit users would unwillingly do the outage anyway. But hey, Kubernetes and Node.js is all the rage nowadays.

danuker3y ago

"I have only made this letter longer because I have not had the time to make it shorter." - Blaise Pascal

j / k navigate · click thread line to collapse

53 comments

tempnow9873y ago

I thought OVH and Hetzner were the source of a ton of these DDoS attacks. Their IP ranges always seem to be in abuse logs.

Cloudflare write in a recent attack:

https://blog.cloudflare.com/15m-rps-ddos-attack/

mike_d3y ago

A wise network operator once told me - never shit on people when they are under attack. Because in the not too distant future you are going to be the victim.

onphonenow3y ago

Umm.. AWS and GCP and friends dwarf these guys, but I zee Hetzner, OVH and DigitalOcean in these things.

2 more replies

CircleSpokes3y ago

I assume this attack is UDP based unlike the one you linked too.

onphonenow3y ago

Where are the AWS and GCP ranges then?

They aren't even in the top 10 here. Its the claim hetzner is larger than AWS? I find that highly unlikely.

1 more reply

ricardobeat3y ago

At their size, don’t they have some kind of hardware-level packet filtering ability like cloudflare to protect against these attacks?

rstupek3y ago

pigtailgirl3y ago

does anyone else have a network that can do what Cloudflare can do? seems like magic sometimes.

3 more replies

booi3y ago

Likely the attack isn't an overwhelming volumetric attack as I assume they have some fat pipes and big routers, but there's likely a bottleneck somewhere in their network.

xmpirOP3y ago

They state using hardware DDoS protection but it seems not to be sufficient: https://www.hetzner.com/unternehmen/ddos-schutz

Thaxll3y ago

Compared to OVH their network / DC are very small, also their DDoS protection is inferior.

xmpirOP3y ago

I am wondering what the attacker's intent is

belter3y ago

Retribution :-)

xmpirOP3y ago

Last time it took about 9 hours: https://status.hetzner.com/incident/129728ce-ba25-49b6-96cc-...

davidtinker3y ago

ffhhj3y ago

Excuse the ignorance, but couldn't ISPs block the attacks?

vardagsnyttt3y ago

That would make sense, but its hard:

- You need to identify the traffic to be filtered and the post states: "Due to always different destinations (IPs, ports, packet size) (..)"

- You need to maintain some agreement with a large number of ISPs

- You need to maintain some gossiping infrastructure to these ISPs

- ISPs may not care about your DDoS attack

mike_d3y ago

As a participant you can avoid paying to send outbound attack traffic, and also identify attack sources within your own network.

1. https://team-cymru.com/community-services/utrs/

_-david-_3y ago

>This concerns UDP traffic on port 9000-65535.

Does anybody know what usually runs on those ports?

deathanatos3y ago

That's 56,536 different ports. Half of everything (that uses UDP), more or less.

ascar3y ago

1 more reply

tiffanyh3y ago

I think games.

Hetzner is a popular host for game servers.

scottlamb3y ago

Besides games, I think many AV things, including VOIP and perhaps WebRTC (definitely UDP, less sure about port number). Possibly also HTTP/3; the server picks the UDP port number IIUC.

lordnacho3y ago

Isn't it most things that aren't a well-known service?

melolife3y ago

It's interesting that 9000 is the starting port for Ethereum consensus clients, although the participation rate does not seem to be affected.

sascha_sl3y ago

Source ports of DNS reflection attacks, presumably.

rozenmd3y ago

Online games (MMOs, shooters, etc) come to mind

baisq3y ago

MMOs over UDP?

3 more replies

xmpirOP3y ago

I fear e.g. wireguard is affected.

walrus013y ago

[spiderman-pointing-at-spiderman.gif]

seriously, aren't they commonly the SOURCE of many DoS attacks...

any hosting provider where some random person on the internet and $5 of credit on a prepaid visa card will have this problem.

missedthecue3y ago

Hetzner requires government ID to open an account

Dma54rhs3y ago

Since when? I've never provided them an ID and neither have they asked later.

1 more reply

MrStonedOne3y ago

There is also the annoying confusion that some attacks involve spoofing the victim's ip to other hosts so the reply goes to the victim while masking the attacker's ip(s).

unnouinceput3y ago

danuker3y ago

"I have only made this letter longer because I have not had the time to make it shorter." - Blaise Pascal

j / k navigate · click thread line to collapse