Cloudflare published a report of a massive DDOS attack, naming several well known cloud hosting data centers as the origins of the attack. The attack appeared to follow a trend of attacks increasingly being launched from data centers instead of the traditional residential botnets.
The attack was described as among the largest ever seen:
“Earlier this month, Cloudflare’s systems automatically detected and mitigated a 15.3 million request-per-second (rps) DDoS attack — one of the largest HTTPS DDoS attacks on record.”
DDOS
A Distributed Denial-of-Service (DDoS) attack is when thousands of Internet-connected devices make page requests at a rapid rate, which can result in the website server being unable to process requests for web pages from, a condition known as a denial of service.
DDOS attacks generally come from what’s referred to as botnets.
Botnets
A botnet is a network of Internet-connected devices like routers, IoT devices, computers, websites and web hosting servers that are infected and put under control of hackers.
Residential ISP Botnets to Cloud-based Data Centers
The Cloudflare report noted that DDOS attacks are increasingly coming from cloud-based data centers instead of residential ISP botnets. This represents a change in tactics.
According to the Cloudflare DDOS attack report:
“What’s interesting is that the attack mostly came from data centers. We’re seeing a big move from residential network Internet Service Providers (ISPs) to cloud compute ISPs.”
Major Cloud Data Centers
Cloudflare named several cloud-based data centers as origins of the attack, two of which are already well known in the publishing community as common sources of spam and unwanted bot visitors.
The two biggest sources of this DDOS attack, according to Cloudflare’s data, were OVH and Hetzner.
Cloudflare offered these details:
“…the attack originated from over 1,300 different networks. The top networks included the German provider Hetzner Online GmbH (Autonomous System Number 24940), Azteca Comunicaciones Colombia (ASN 262186), OVH in France (ASN 16276), as well as other cloud providers.”
OVH and Hetzner as Sources of Spam
In addition to being origins of DDOS attacks, OVH and Hetzner are known to be sources of spam-related attacks.
According to SaaS spam protection service CleanTalk data, spam bots originating from OVH comprise 10.97% of detected activity from IP addresses associated with OVH.
Spam activity originating from Hetzner that was detected by CleanTalk, out of 213,621 IP addresses detected as a source of traffic, 14,997 (7.02%) of those IP addresses were associated with spam attacks.
While DDOS and spam attacks are two different things, these statistics are cited to show how both of those cloud data centers are used for a variety of malicious activity, not just for DDOS attacks.
A publisher over at WebmasterWorld Forum recently observed that they were experiencing bot traffic from OVH that was greater than from legitimate human traffic from known ISPs.
The WebmasterWorld member wrote in a forum post:
“Over the past 24 months, the web server logs across a dozen websites I manage have a high percentage of traffic coming from the OVH data center.
This traffic is coming in via numerous IP addresses assigned to OVH. Since the volume of traffic is dramatically larger than the traffic coming from legitimate ISPs (ATT, Verizon, Charter, Comcast, Shaw, etc), I have the impression that the traffic from OVH is due to bots/scrapers hosted at the OVH data center cloud servers.”
Unwanted bot traffic from OVH is such a common problem that when an OVH datacenter in France burned down a WebmasterWorld member practically applauded the event by posting:
“Looking on the bright side, our websites will have less bot traffic now.”
The question maybe that needs asking is, why is there so much rogue bot traffic originating from OVH and Hetzner?
This isn’t something new, either. Webmaster and publisher complaints about bot traffic from OVH go back a long time.
These are examples of discussions on WebmasterWorld involving OVH:
- Am I Blocking This OVH IP Correctly? (2020)
- OVH Visitors – Genuine Or Not? (2013)
- Server Farms – August 2014
- Server Farms – Jan 2018
The above are forum discussions going back as far as 2013 where publishers and webmasters are complaining about rogue bot traffic from OVH.
In a WebmasterWorld forum discussion from 2015 titled Botnet sources, one forum member posted:
“RE: botnets, I’m more concerned with those who are false-clicking my advertisers (hosted, 3rd party & AdSense.)
However I’m sure there is a significant crossover to both categories, so those linked Spamhaus articles are a good read, thanks. Small surprise that OVH leads the pack!”
Given the long history of unwanted bot traffic from OVH and Hetzner, it’s not entirely surprising to see that they are now cited by Cloudflare as origins of a DDOS attack.
OVH and Hetzner Are Origins of Bots and DDOS Attacks
It’s well-documented by Saas spam blocking services that OVH and Hetzner are sources of spam. Now we have documentation from Cloudflare that OVH and Hetzner cloud hosting services serve as origins of DDOS attacks.
Cloudflare identified the attacks as coming from a botnet on those cloud hosts. So that may mean that various servers were compromised.