[188149] in North American Network Operators' Group
Re: Facebook & Traceroute
daemon@ATHENA.MIT.EDU (Brandon Martin)
Wed Mar 9 23:16:30 2016
X-Original-To: nanog@nanog.org
Date: Wed, 09 Mar 2016 23:16:25 -0500
From: Brandon Martin <lists.nanog@monmotha.net>
To: nanog@nanog.org
In-Reply-To: <094c01d17a80$625debe0$2719c3a0$@SanDiegoBroadband.com>
Errors-To: nanog-bounces@nanog.org
On 03/09/2016 10:53 PM, Sam Norris wrote:
> Why does Facebook spoof the source IP address of the hop before this server?
> They spoof the source IP address that is performing the traceroute.
...
> (31.13.28.207) 67.846 ms ae12.dr08.ash3.tfbnw.net (31.13.29.191) 68.629 ms
> 12 * * *
> 13 * * *
> 14 8.25.38.1 (8.25.38.1) 68.571 ms 68.718 ms 68.132 ms
> 15 edge-star-mini-shv-07-ash4.facebook.com (66.220.156.68) 67.903 ms 67.752
> ms 68.071 ms
> ---
>
> Hop 14 is the source ip of the traceroute which is forged. This essentially
> makes hop 14 reply using the same ip for src and dst.
If intentional, I would speculate that this might be something to help
their support staff by giving them confirmation of where the traceroute
actually originated from in the public Internet view given that the
originator might actually be behind possibly several layers of NAT. The
two missing hops could be a marker or perhaps other info that got eaten
due to various source filters?
--
Brandon Martin
