Guys and gals, just received a DoS from supposedly Facebook. Any contact of way of getting in touch with them? Thanks.
Any proof that you can provide that Facebook did indeed DoS you? Unless it is an attack after a tcp 3-way handshake I highly doubt that it was actually Facebook and probably an attacker spoofing Facebook¹s source IPs (perhaps in hopes that the source IPs would be on your whitelist and not be blocked). Rich Compton | Principal Eng | 314.596.2828 14810 Grasslands Dr, Englewood, CO 80112 On 4/3/17, 4:46 PM, "NANOG on behalf of Miguel Mata" <nanog-bounces@nanog.org on behalf of mmata@intercom.com.sv> wrote:
Guys and gals,
just received a DoS from supposedly Facebook. Any contact of way of getting in touch with them?
Thanks.
E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
It might have been even more innocent than that. There are some really crappy consumer-grade firewalls out there that say "DoS Attack" any time they receive an unexpected packet. This most commonly occurs when the device reboots (power outage) and a live TCP connection sends a keepalive or a RST. The end result is a flood of emails from customers to the abuse@ address of every major web company. I'd love to track down the manufacturers of these devices and get them to stop their fearmongering.... Damian On Tue, Apr 4, 2017 at 9:35 AM, Compton, Rich A <Rich.Compton@charter.com> wrote:
Any proof that you can provide that Facebook did indeed DoS you? Unless it is an attack after a tcp 3-way handshake I highly doubt that it was actually Facebook and probably an attacker spoofing Facebook¹s source IPs (perhaps in hopes that the source IPs would be on your whitelist and not be blocked).
Rich Compton | Principal Eng | 314.596.2828 14810 Grasslands Dr, Englewood, CO 80112
On 4/3/17, 4:46 PM, "NANOG on behalf of Miguel Mata" <nanog-bounces@nanog.org on behalf of mmata@intercom.com.sv> wrote:
Guys and gals,
just received a DoS from supposedly Facebook. Any contact of way of getting in touch with them?
Thanks.
E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
Hello Mr. Mata, I'd like to register you might not be the only one. At work, I deal with DDoS on a daily basis. A pretty common UDP DDoS attack was hiting random IPs of our autonomous system and I applied a bunch of rules to block it. There rule had exceptions for content providers with high demand, like Google, Facebook and Akamai. For my surprise, after I applied my DROP rules, there was still a significant amount of traffic reaching the target servers. I perform some PCAPs I many IP addresses belonged to Facebook. At first I thought: - 'Clever attacker. He guesses I could not be as severe as I am to regular UDP traffic if the origin was Facebook and he deliberately spoofed their IP address.' But one of my collegues quickly realized the incoming MAC ADDRESS was the actual Facebook router we have a peering at a internet exchange. So indeed the traffic came from their network. The UDP source IP address is not enough to drag to this conclusion, but the MAC ADDRESS was very convincing to me. Best regards, Kurt Kraut 2017-04-03 19:46 GMT-03:00 Miguel Mata <mmata@intercom.com.sv>:
Guys and gals,
just received a DoS from supposedly Facebook. Any contact of way of getting in touch with them?
Thanks.
On Tue, Apr 4, 2017 at 6:47 PM, Kurt Kraut <listas@kurtkraut.net> wrote:
I perform some PCAPs I many IP addresses belonged to Facebook. At first I thought: - 'Clever attacker. He guesses I could not be as severe as I am to regular UDP traffic if the origin was Facebook and he deliberately spoofed their IP address.'
But one of my collegues quickly realized the incoming MAC ADDRESS was the actual Facebook router we have a peering at a internet exchange. So indeed the traffic came from their network.
one wonders if this is the new (ish?) Streaming thingy they launched?
Hello Christopher, I hardly belive it. IP addresses not allocated to servers were receiving attack, a whole /22 was attacked and it was solely used for servers (including IP addresses not allocated to devices), not for computers with user interface or mobile devices that could actually use Facebook. And if I recall it correctly, it was SSDP amplification attack. Best regards, Kurt Kraut 2017-04-04 21:58 GMT-03:00 Christopher Morrow <morrowc.lists@gmail.com>:
On Tue, Apr 4, 2017 at 6:47 PM, Kurt Kraut <listas@kurtkraut.net> wrote:
I perform some PCAPs I many IP addresses belonged to Facebook. At first I thought: - 'Clever attacker. He guesses I could not be as severe as I am to regular UDP traffic if the origin was Facebook and he deliberately spoofed their IP address.'
But one of my collegues quickly realized the incoming MAC ADDRESS was the actual Facebook router we have a peering at a internet exchange. So indeed the traffic came from their network.
one wonders if this is the new (ish?) Streaming thingy they launched?
On Tue, Apr 4, 2017 at 7:03 PM, Kurt Kraut <listas@kurtkraut.net> wrote:
Hello Christopher,
I hardly belive it. IP addresses not allocated to servers were receiving attack, a whole /22 was attacked and it was solely used for servers (including IP addresses not allocated to devices), not for computers with user interface or mobile devices that could actually use Facebook. And if I recall it correctly, it was SSDP amplification attack.
oh so some mis-config in their network/policy and exploitation by other folks :( bummer.
Best regards,
Kurt Kraut
2017-04-04 21:58 GMT-03:00 Christopher Morrow <morrowc.lists@gmail.com>:
On Tue, Apr 4, 2017 at 6:47 PM, Kurt Kraut <listas@kurtkraut.net> wrote:
I perform some PCAPs I many IP addresses belonged to Facebook. At first I thought: - 'Clever attacker. He guesses I could not be as severe as I am to regular UDP traffic if the origin was Facebook and he deliberately spoofed their IP address.'
But one of my collegues quickly realized the incoming MAC ADDRESS was the actual Facebook router we have a peering at a internet exchange. So indeed the traffic came from their network.
one wonders if this is the new (ish?) Streaming thingy they launched?
Exactly -- Onward!, Jason Hellenthal, Systems & Network Admin, Mobile: 0x9CA0BD58, JJH48-ARIN On Apr 4, 2017, at 20:15, Christopher Morrow <morrowc.lists@gmail.com> wrote: On Tue, Apr 4, 2017 at 7:03 PM, Kurt Kraut <listas@kurtkraut.net> wrote:
Hello Christopher,
I hardly belive it. IP addresses not allocated to servers were receiving attack, a whole /22 was attacked and it was solely used for servers (including IP addresses not allocated to devices), not for computers with user interface or mobile devices that could actually use Facebook. And if I recall it correctly, it was SSDP amplification attack.
oh so some mis-config in their network/policy and exploitation by other folks :( bummer.
Best regards,
Kurt Kraut
2017-04-04 21:58 GMT-03:00 Christopher Morrow <morrowc.lists@gmail.com>:
On Tue, Apr 4, 2017 at 6:47 PM, Kurt Kraut <listas@kurtkraut.net> wrote:
I perform some PCAPs I many IP addresses belonged to Facebook. At first I thought: - 'Clever attacker. He guesses I could not be as severe as I am to regular UDP traffic if the origin was Facebook and he deliberately spoofed their IP address.'
But one of my collegues quickly realized the incoming MAC ADDRESS was the actual Facebook router we have a peering at a internet exchange. So indeed the traffic came from their network.
one wonders if this is the new (ish?) Streaming thingy they launched?
On Tue, Apr 04, 2017 at 09:47:23PM -0300, Kurt Kraut wrote:
But one of my collegues quickly realized the incoming MAC ADDRESS was the actual Facebook router we have a peering at a internet exchange. So indeed the traffic came from their network.
If you've got a bilateral peering session with Facebook, presumably you have some sort of technical contact there that you can reach out to and ask "WTF?". That would seem to be a good first step. - Matt
participants (7)
-
Christopher Morrow -
Compton, Rich A -
Damian Menscher -
J. Hellenthal -
Kurt Kraut -
Matt Palmer -
Miguel Mata