How to use OVH as an anti-DDOS provider?

It’s a very strange use but sometimes, it can save time and money.

The big picture about the attack

You’ve few dedicated servers (not OVH) and you’ve DDOS attacks.
Firstly, you call your provider and pay for anti-DDOS protection but it’s inaccurate.
What can you do?

OVH to clean ingress

It’s extraordinary, but OVH has 2 anti-DDOS technologies that work very well: Arbor Networks & Tilera.
This combo is the most powerful to kill DDOS.

What can we do?

It’s a strange but working solution :

  • We move all DNS entries (toto.domain.tld) to OVH IP
  • Iptables will route input traffic to your dedicated server (not OVH)
  • the client receives a reply directly from the dedicated server (not OVH)


We need to activate IP Forwarding


sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4_forward=1" > /etc/sysctl.d/forwarding.conf


Now, it’s time to do MASQUERADING for output traffic

iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE


It’s where we do magic

iptables -t nat -A PREROUTING -d IP_OVH -j DNAT --to-destination IP_NOT_OVH


We need that iptables rules to survive after a reboot

apt-get install iptables-persistent -y


It’s not a magic solution but can help in some way. In addition, don’t forget to harden your kernel and other configurations to survive.

You can be interested by : Migration to nftables : from ipset and bogons