Why does Facebook spoof the source IP address of the hop before this server? They spoof the source IP address that is performing the traceroute. 66.220.156.68 --- 7 FACEBOOK-IN.ear1.Atlanta2.Level3.net (4.16.185.58) 51.736 ms 51.678 ms 52.075 ms 8 ae2.bb01.atl1.tfbnw.net (74.119.78.214) 51.636 ms 51.584 ms 51.720 ms 9 be36.bb01.frc3.tfbnw.net (31.13.26.199) 58.669 ms ae4.bb05.frc3.tfbnw.net (31.13.27.129) 61.085 ms ae16.bb06.frc3.tfbnw.net (74.119.76.117) 59.731 ms 10 ae5.bb04.iad3.tfbnw.net (31.13.26.57) 111.338 ms ae7.bb04.iad3.tfbnw.net (31.13.31.245) 110.007 ms 110.015 ms 11 ae9.dr07.ash3.tfbnw.net (31.13.29.29) 68.692 ms ae10.dr08.ash2.tfbnw.net (31.13.28.207) 67.846 ms ae12.dr08.ash3.tfbnw.net (31.13.29.191) 68.629 ms 12 * * * 13 * * * 14 8.25.38.1 (8.25.38.1) 68.571 ms 68.718 ms 68.132 ms 15 edge-star-mini-shv-07-ash4.facebook.com (66.220.156.68) 67.903 ms 67.752 ms 68.071 ms --- Hop 14 is the source ip of the traceroute which is forged. This essentially makes hop 14 reply using the same ip for src and dst. Sam
On Wed, Mar 9, 2016 at 10:53 PM, Sam Norris <Sam@sandiegobroadband.com> wrote:
Why does Facebook spoof the source IP address of the hop before this server? They spoof the source IP address that is performing the traceroute.
66.220.156.68
--- 7 FACEBOOK-IN.ear1.Atlanta2.Level3.net (4.16.185.58) 51.736 ms 51.678 ms 52.075 ms 8 ae2.bb01.atl1.tfbnw.net (74.119.78.214) 51.636 ms 51.584 ms 51.720 ms 9 be36.bb01.frc3.tfbnw.net (31.13.26.199) 58.669 ms ae4.bb05.frc3.tfbnw.net (31.13.27.129) 61.085 ms ae16.bb06.frc3.tfbnw.net (74.119.76.117) 59.731 ms 10 ae5.bb04.iad3.tfbnw.net (31.13.26.57) 111.338 ms ae7.bb04.iad3.tfbnw.net (31.13.31.245) 110.007 ms 110.015 ms 11 ae9.dr07.ash3.tfbnw.net (31.13.29.29) 68.692 ms ae10.dr08.ash2.tfbnw.net (31.13.28.207) 67.846 ms ae12.dr08.ash3.tfbnw.net (31.13.29.191) 68.629 ms 12 * * * 13 * * * 14 8.25.38.1 (who) 68.571 ms 68.718 ms 68.132 ms 15 edge-star-mini-shv-07-ash4.facebook.com (66.220.156.68) 67.903 ms 67.752 ms 68.071 ms ---
Hop 14 is the source ip of the traceroute which is forged. This essentially makes hop 14 reply using the same ip for src and dst.
maybe their loadbalancer is a little wonky? (I don't see this in traceroutes from a few places, but I also don't end up at IAD for 'www.facebook.com' traceroutes... here's my last 4 hops though to the dest-ip you had: .13.28.75) 0.597 ms ae0.dr08.ash2.tfbnw.net (31.13.26.235) 0.576 ms 8 * * * 9 * * * 10 * * * 11 edge-star-mini-shv-07-ash4.facebook.com (66.220.156.68) 0.774 ms 0.755 ms 0.701 ms
maybe their loadbalancer is a little wonky? (I don't see this in traceroutes from a few places, but I also don't end up at IAD for 'www.facebook.com' traceroutes... here's my last 4 hops though to the dest-ip you had:
.13.28.75) 0.597 ms ae0.dr08.ash2.tfbnw.net (31.13.26.235) 0.576 ms 8 * * * 9 * * * 10 * * * 11 edge-star-mini-shv-07-ash4.facebook.com (66.220.156.68) 0.774 ms 0.755 ms 0.701 ms
This is probably because you are properly filtering your own prefixes from being sourced outside coming in?
On Wed, Mar 9, 2016 at 11:22 PM, Sam Norris <Sam@sandiegobroadband.com> wrote:
maybe their loadbalancer is a little wonky? (I don't see this in traceroutes from a few places, but I also don't end up at IAD for 'www.facebook.com' traceroutes... here's my last 4 hops though to the dest-ip you had:
.13.28.75) 0.597 ms ae0.dr08.ash2.tfbnw.net (31.13.26.235) 0.576 ms 8 * * * 9 * * * 10 * * * 11 edge-star-mini-shv-07-ash4.facebook.com (66.220.156.68) 0.774 ms 0.755 ms 0.701 ms
This is probably because you are properly filtering your own prefixes from being sourced outside coming in?
unclear, that traceroute was from someplace I don't own the network for... from another place I do though... 5 ae0.dr07.ash2.tfbnw.net (31.13.26.233) 4 ms ae0.dr05.ash3.tfbnw.net (31.13.29.21) 4 ms ae0.dr08.ash2.tfbnw.net (31.13.26.235) 2 ms 6 * * * 7 * * * 8 * * * 9 edge-star-mini-shv-07-ash4.facebook.com (66.220.156.68) 3 ms 3 ms 2 ms same-ish results, no spoofed bits.
On Thu, Mar 10, 2016 at 9:35 AM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
unclear, that traceroute was from someplace I don't own the network for... from another place I do though...
5 ae0.dr07.ash2.tfbnw.net (31.13.26.233) 4 ms ae0.dr05.ash3.tfbnw.net (31.13.29.21) 4 ms ae0.dr08.ash2.tfbnw.net (31.13.26.235) 2 ms 6 * * * 7 * * * 8 * * * 9 edge-star-mini-shv-07-ash4.facebook.com (66.220.156.68) 3 ms 3 ms 2 ms
same-ish results, no spoofed bits.
https://atlas.ripe.net/measurements/3612424/#!probes I did a atlas measurement of 500 probes, 104 probes (21%) had their outside IP shown in traceroute. Some peers of AS32934 don't have ingress filtering. It seems all prefixes advertised by Facebook are ROA signed and valid tho.
On 03/09/2016 10:53 PM, Sam Norris wrote:
Why does Facebook spoof the source IP address of the hop before this server? They spoof the source IP address that is performing the traceroute. ... (31.13.28.207) 67.846 ms ae12.dr08.ash3.tfbnw.net (31.13.29.191) 68.629 ms 12 * * * 13 * * * 14 8.25.38.1 (8.25.38.1) 68.571 ms 68.718 ms 68.132 ms 15 edge-star-mini-shv-07-ash4.facebook.com (66.220.156.68) 67.903 ms 67.752 ms 68.071 ms ---
Hop 14 is the source ip of the traceroute which is forged. This essentially makes hop 14 reply using the same ip for src and dst.
If intentional, I would speculate that this might be something to help their support staff by giving them confirmation of where the traceroute actually originated from in the public Internet view given that the originator might actually be behind possibly several layers of NAT. The two missing hops could be a marker or perhaps other info that got eaten due to various source filters? -- Brandon Martin
participants (5)
-
Brandon Martin -
Christopher Morrow -
Doug Porter -
Sam Norris -
Yang Yu