Exactly -- Onward!, Jason Hellenthal, Systems & Network Admin, Mobile: 0x9CA0BD58, JJH48-ARIN On Apr 4, 2017, at 20:15, Christopher Morrow <morrowc.lists@gmail.com> wrote: On Tue, Apr 4, 2017 at 7:03 PM, Kurt Kraut <listas@kurtkraut.net> wrote:
Hello Christopher,
I hardly belive it. IP addresses not allocated to servers were receiving attack, a whole /22 was attacked and it was solely used for servers (including IP addresses not allocated to devices), not for computers with user interface or mobile devices that could actually use Facebook. And if I recall it correctly, it was SSDP amplification attack.
oh so some mis-config in their network/policy and exploitation by other folks :( bummer.
Best regards,
Kurt Kraut
2017-04-04 21:58 GMT-03:00 Christopher Morrow <morrowc.lists@gmail.com>:
On Tue, Apr 4, 2017 at 6:47 PM, Kurt Kraut <listas@kurtkraut.net> wrote:
I perform some PCAPs I many IP addresses belonged to Facebook. At first I thought: - 'Clever attacker. He guesses I could not be as severe as I am to regular UDP traffic if the origin was Facebook and he deliberately spoofed their IP address.'
But one of my collegues quickly realized the incoming MAC ADDRESS was the actual Facebook router we have a peering at a internet exchange. So indeed the traffic came from their network.
one wonders if this is the new (ish?) Streaming thingy they launched?