Under Attack from OVH with Password Spraying

Yesterday and today we are having a huge Password Spraying attack (or whatever this crap is), mainly from OVH vps accounts (Canada and Singapore). Also smaller ones from other sources like Fibergrid, Servermania (a.k.a B2 Net Solutions), Leaseweb, Colocrossing and clients.your-server.de (a.k.a Hetzner).

Imunify 360 did NOTHING to protect us and Google Recaptcha didn’t block ANYTHING.

So we have now over 20.000 fake and UNverified accounts (sofar), split in 3 sites (2 of them are WordPress based), that we have to cleanup. And guess what, WordPress doesn’t clearly show if an account is verified or not, we have to find that out using some other tool.

But the attack hasn’t stopped, creating some 3-5 new accounts per minute. This can’t be human, it must be malicious bots.

Here is OVH abuse report reply:

OVHcloud conducts its activities in conformity with applicable laws, we forbid any use of our products that don’t conform to our general terms and conditions of services. It’s important to note that most of our services are rented “unmanaged” to our customers.

This means that we only have physical access to the server and cannot access its content (no root, administrator, or user access).

We are technically unable to modify or delete content, or making an abusive behavior stop by intervening directly on the server, as it is not managed by us. We will however transmit the technical information of your report to the customer managing the infrastructure concerned, and we will follow this ticket to its resolution.

Here is what happened (and still is ….. )

ps-434e9809.vps.ovh.ca » (16.30%)
vps-2542aa40.vps.ovh.ca » (15.80%)
vps-6286873d.vps.ovh.ca » (15.56%)
vps-e759238e.vps.ovh.ca » (15.06%)
vps-eb801c4b.vps.ovh.ca » (13.62%)
vps-c072a78f.vps.ovh.ca » (4.19%)
vps-879192d4.vps.ovh.net » 4 (0.16%)

and maybe we have missed some. Total: (74.84%) from OVH.

Our abuse reports to OVH haven’t been replied or resolved, after 3 days. All we got back is some automated response email. All IPs are banned but still knocking ….

Currently Permanently Blocking OVH:

Ip Range 135.125.200.0 – 135.125.207.255

IP Range 51.254.0.0 – 51.255.255.255

IP Range 51.79.0.0 – 51.79.255.255 – OVH Singapore

IP Range – 5.39.80.0-5.39.95.255

7 Comments

  1. I have installed on all my Websites CleanTalk and this solution block all Bots successfully.

    1. CleanTalk is heavy and causes more issues that it solves.
      Still, if it works for you, then ok !

      We recently installed Wordfence (free edition) and we will se how it goes. OVH is one of the worst source of attacks for us, along with Digital Ocean right now. But we have found a way to solve this and we will blog about it.

      Thanks for the comment.

  2. ovh.net is currently providing bulletproof hosting to botnet operators, by ignoring abuse reports and multiple reminders sent by Spamhaus and 3rd parties. We therefore consider networks that are operated by ovh.net as harmful and risky for Spamhaus SBL users and advise our users to not accept any traffic from ovh.net IP space.

    From 2014 but it seems still valid not for spam but from general attacks and botnets.

  3. We are still getting 10 registration attempts per minute from:

    IP Address: 167.114.129.211
    Hostname: vps-e759238e.vps.ovh.ca

    IP Address: 167.114.129.196
    Hostname: vps-eb801c4b.vps.ovh.ca

    IP Address: 144.217.240.168
    Hostname: vps-434e9809.vps.ovh.ca

    IP Address: 51.79.240.23
    Hostname: vps-6286873d.vps.ovh.ca

    IP Address: 167.114.129.209
    Hostname: vps-2542aa40.vps.ovh.ca

    IP Address: 51.79.221.207
    Hostname: vps-c072a78f.vps.ovh.ca

  4. Did you solve the issue? I’m getting the very same issue from different cloud/hosting IPs…

    1. We did and it is funny how we did it. We removed Google recaptchas and installed an other plugin that provides a different kind of check. And from what i see, bots can’t bypass it. We still get a few fake registrations but we always had that issue. 10-20 fake accounts each day.

      This issue was different. Now we have to cleanup around 25000 accounts (3 sites).

  5. Those are probably compromised vps servers. Overtaken by bots. Typical from OVH, not only from Canada.

Comments are closed.