[194323] in North American Network Operators' Group
Re: did facebook just DoS me?
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Tue Apr 4 21:15:23 2017
X-Original-To: nanog@nanog.org
In-Reply-To: <CAPbn28=wsPi8OoVEVJg--fBFyho+WM6JoU0zweYGsQTwjg969A@mail.gmail.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
Date: Tue, 4 Apr 2017 19:15:19 -0600
To: Kurt Kraut <listas@kurtkraut.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Tue, Apr 4, 2017 at 7:03 PM, Kurt Kraut <listas@kurtkraut.net> wrote:
> Hello Christopher,
>
>
> I hardly belive it. IP addresses not allocated to servers were receiving
> attack, a whole /22 was attacked and it was solely used for servers
> (including IP addresses not allocated to devices), not for computers with
> user interface or mobile devices that could actually use Facebook. And if I
> recall it correctly, it was SSDP amplification attack.
>
>
oh so some mis-config in their network/policy and exploitation by other
folks :( bummer.
>
> Best regards,
>
>
> Kurt Kraut
>
> 2017-04-04 21:58 GMT-03:00 Christopher Morrow <morrowc.lists@gmail.com>:
>
>>
>>
>> On Tue, Apr 4, 2017 at 6:47 PM, Kurt Kraut <listas@kurtkraut.net> wrote:
>>
>>>
>>> I perform some PCAPs I many IP addresses belonged to Facebook. At first I
>>> thought: - 'Clever attacker. He guesses I could not be as severe as I am
>>> to
>>> regular UDP traffic if the origin was Facebook and he deliberately
>>> spoofed
>>> their IP address.'
>>>
>>> But one of my collegues quickly realized the incoming MAC ADDRESS was the
>>> actual Facebook router we have a peering at a internet exchange. So
>>> indeed
>>> the traffic came from their network.
>>>
>>
>> one wonders if this is the new (ish?) Streaming thingy they launched?
>>
>
>
