Guys and gals,
just received a DoS from supposedly Facebook. Any contact of way of getting in touch with
them?
Thanks.
Any proof that you can provide that Facebook did indeed DoS you? Unless
it is an attack after a tcp 3-way handshake I highly doubt that it was
actually Facebook and probably an attacker spoofing Facebook¹s source IPs
(perhaps in hopes that the source IPs would be on your whitelist and not
be blocked).
Rich Compton | Principal Eng | 314.596.2828
14810 Grasslands Dr, Englewood, CO 80112
On 4/3/17, 4:46 PM, "NANOG on behalf of Miguel Mata"
It might have been even more innocent than that. There are some really
crappy consumer-grade firewalls out there that say "DoS Attack" any time
they receive an unexpected packet. This most commonly occurs when the
device reboots (power outage) and a live TCP connection sends a keepalive
or a RST. The end result is a flood of emails from customers to the abuse@
address of every major web company. I'd love to track down the
manufacturers of these devices and get them to stop their fearmongering....
Damian
Hello Mr. Mata,
I'd like to register you might not be the only one. At work, I deal with
DDoS on a daily basis. A pretty common UDP DDoS attack was hiting random
IPs of our autonomous system and I applied a bunch of rules to block it.
There rule had exceptions for content providers with high demand, like
Google, Facebook and Akamai. For my surprise, after I applied my DROP
rules, there was still a significant amount of traffic reaching the target
servers.
I perform some PCAPs I many IP addresses belonged to Facebook. At first I
thought: - 'Clever attacker. He guesses I could not be as severe as I am to
regular UDP traffic if the origin was Facebook and he deliberately spoofed
their IP address.'
But one of my collegues quickly realized the incoming MAC ADDRESS was the
actual Facebook router we have a peering at a internet exchange. So indeed
the traffic came from their network.
The UDP source IP address is not enough to drag to this conclusion, but the
MAC ADDRESS was very convincing to me.
Best regards,
Kurt Kraut
one wonders if this is the new (ish?) Streaming thingy they launched?
Hello Christopher,
I hardly belive it. IP addresses not allocated to servers were receiving
attack, a whole /22 was attacked and it was solely used for servers
(including IP addresses not allocated to devices), not for computers with
user interface or mobile devices that could actually use Facebook. And if I
recall it correctly, it was SSDP amplification attack.
Best regards,
Kurt Kraut
Hello Christopher,
I hardly belive it. IP addresses not allocated to servers were receiving
attack, a whole /22 was attacked and it was solely used for servers
(including IP addresses not allocated to devices), not for computers with
user interface or mobile devices that could actually use Facebook. And if I
recall it correctly, it was SSDP amplification attack.
oh so some mis-config in their network/policy and exploitation by other
folks 
bummer.
Exactly
If you've got a bilateral peering session with Facebook, presumably you have
some sort of technical contact there that you can reach out to and ask
"WTF?". That would seem to be a good first step.
- Matt