Second large Hetzner outage in a week caused by DDoS attack

Second large Hetzner outage in a week caused by DDoS attack(status.hetzner.com)

83 points by xmpir 4 years ago | 53 comments

tempnow987 4 years ago |

I thought OVH and Hetzner were the source of a ton of these DDoS attacks. Their IP ranges always seem to be in abuse logs.

Cloudflare write in a recent attack:

The top networks included the German provider Hetzner Online GmbH (Autonomous System Number 24940), Azteca Comunicaciones Colombia (ASN 262186), OVH in France (ASN 16276), as well as other cloud providers.

https://blog.cloudflare.com/15m-rps-ddos-attack/

mike_d 4 years ago | |

Hetzner operates a 5-10 Tbps network, roughly the same traffic volume as all of Spectrum/Charter Communications (the 2nd largest cable company in the US). They show up everywhere because they are a big part of the internet.

A wise network operator once told me - never shit on people when they are under attack. Because in the not too distant future you are going to be the victim.

onphonenow 4 years ago | | |

Umm.. AWS and GCP and friends dwarf these guys, but I zee Hetzner, OVH and DigitalOcean in these things.

CircleSpokes 4 years ago | |

I mean that makes sense no? Attacks like that rely on compromised servers so it shouldn't be a big surprise large hosting provides are among the biggest attackers. Other large ISPs like digital ocean and Alibaba are among the top attackers in that attack also.

I assume this attack is UDP based unlike the one you linked too.

onphonenow 4 years ago | | |

Where are the AWS and GCP ranges then?

They aren't even in the top 10 here. Its the claim hetzner is larger than AWS? I find that highly unlikely.

ricardobeat 4 years ago |

At their size, don’t they have some kind of hardware-level packet filtering ability like cloudflare to protect against these attacks?

rstupek 4 years ago | |

Not if the level of incoming bandwidth exceeds the available bandwidth of the circuits involved.. you can't filter it when the link is saturated. Cloudflare uses other techniques like global distribution so aggregate bandwidth is higher than the attack bandwidth

pigtailgirl 4 years ago | | |

does anyone else have a network that can do what Cloudflare can do? seems like magic sometimes.

booi 4 years ago | |

This depends on what type of attack it is. If it's volumetric, no amount of packet filtering is going to help you. If it's protocol-level attack then yes, some form of high performance WAF will be helpful if you have the filtering capacity.

Likely the attack isn't an overwhelming volumetric attack as I assume they have some fat pipes and big routers, but there's likely a bottleneck somewhere in their network.

xmpir 4 years ago | |

They state using hardware DDoS protection but it seems not to be sufficient: https://www.hetzner.com/unternehmen/ddos-schutz

Thaxll 4 years ago | |

Compared to OVH their network / DC are very small, also their DDoS protection is inferior.

xmpir 4 years ago |

I am wondering what the attacker's intent is

belter 4 years ago | |

Retribution :-)

xmpir 4 years ago |

Last time it took about 9 hours: https://status.hetzner.com/incident/129728ce-ba25-49b6-96cc-...

davidtinker 4 years ago |

Anyone know if it is possible to mitigate the impact of Hetzner blocking UDP traffic on port 9000+? These outages whacked our Kubernetes clusters (Calico + vxlan + Wireguard). https://serverfault.com/questions/1100482/how-to-limit-udp-p...

ffhhj 4 years ago |

Excuse the ignorance, but couldn't ISPs block the attacks?

vardagsnyttt 4 years ago | |

That would make sense, but its hard:

- You need to identify the traffic to be filtered and the post states: "Due to always different destinations (IPs, ports, packet size) (..)"

- You need to maintain some agreement with a large number of ISPs

- You need to maintain some gossiping infrastructure to these ISPs

- ISPs may not care about your DDoS attack

mike_d 4 years ago | |

Yes, network operators (should) participate in centralized black hole services like UTRS[1]. If you can identify the specific IPs that are under attack you make a BGP announcement to other participating networks asking them to drop traffic to that IP within their networks.

As a participant you can avoid paying to send outbound attack traffic, and also identify attack sources within your own network.

1. https://team-cymru.com/community-services/utrs/

_-david-_ 4 years ago |

>This concerns UDP traffic on port 9000-65535.

Does anybody know what usually runs on those ports?

deathanatos 4 years ago | |

That's 56,536 different ports. Half of everything (that uses UDP), more or less.

ascar 4 years ago | | |

I would expect 95%+ of TCP traffic to run on 22 (ssh), 25(smtp), 53(dns), 80(http), 443(https) plus another handful of lower than 1000 ports. Even common dev ports (3000,5000,8080) are below 9000. I don't think that's much different for UDP. Even most games probably rely on something <10,000.

tiffanyh 4 years ago | |

I think games.

Hetzner is a popular host for game servers.

scottlamb 4 years ago | |

Besides games, I think many AV things, including VOIP and perhaps WebRTC (definitely UDP, less sure about port number). Possibly also HTTP/3; the server picks the UDP port number IIUC.

lordnacho 4 years ago | |

Isn't it most things that aren't a well-known service?

melolife 4 years ago | |

It's interesting that 9000 is the starting port for Ethereum consensus clients, although the participation rate does not seem to be affected.

sascha_sl 4 years ago | |

Source ports of DNS reflection attacks, presumably.

rozenmd 4 years ago | |

Online games (MMOs, shooters, etc) come to mind

baisq 4 years ago | | |

MMOs over UDP?

xmpir 4 years ago | |

I fear e.g. wireguard is affected.

walrus01 4 years ago |

[spiderman-pointing-at-spiderman.gif]

seriously, aren't they commonly the SOURCE of many DoS attacks...

any hosting provider where some random person on the internet and $5 of credit on a prepaid visa card will have this problem.

missedthecue 4 years ago | |

Hetzner requires government ID to open an account

Dma54rhs 4 years ago | | |

Since when? I've never provided them an ID and neither have they asked later.

MrStonedOne 4 years ago | |

There is also the annoying confusion that some attacks involve spoofing the victim's ip to other hosts so the reply goes to the victim while masking the attacker's ip(s).

unnouinceput 4 years ago |

Maybe, just maybe, rely less on embedded framework on embedded framework that spit JavaScript that gets 95% unused. If for a simple outage apology page the output was 1.7MB, I can only imagine for their normal pages how much it is. At this size I feel only like 10k legit users would unwillingly do the outage anyway. But hey, Kubernetes and Node.js is all the rage nowadays.

danuker 4 years ago | |

"I have only made this letter longer because I have not had the time to make it shorter." - Blaise Pascal