[194324] in North American Network Operators' Group
Re: did facebook just DoS me?
daemon@ATHENA.MIT.EDU (J. Hellenthal)
Tue Apr 4 21:20:43 2017
X-Original-To: nanog@nanog.org
From: "J. Hellenthal" <jhellenthal@dataix.net>
X-Google-Original-From: "J. Hellenthal" <jhellenthal@DataIX.net>
In-Reply-To: <CAL9jLabrQ+f-igWk7ED4p=g+KCatCsTenHCVh_fTkWCO4csNkQ@mail.gmail.com>
Date: Tue, 4 Apr 2017 20:20:38 -0500
To: Christopher Morrow <morrowc.lists@gmail.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Exactly
--
Onward!,
Jason Hellenthal,
Systems & Network Admin,
Mobile: 0x9CA0BD58,
JJH48-ARIN
On Apr 4, 2017, at 20:15, Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Tue, Apr 4, 2017 at 7:03 PM, Kurt Kraut <listas@kurtkraut.net> wrote:
> Hello Christopher,
>
>
> I hardly belive it. IP addresses not allocated to servers were receiving
> attack, a whole /22 was attacked and it was solely used for servers
> (including IP addresses not allocated to devices), not for computers with
> user interface or mobile devices that could actually use Facebook. And if I
> recall it correctly, it was SSDP amplification attack.
>
>
oh so some mis-config in their network/policy and exploitation by other
folks :( bummer.
>
> Best regards,
>
>
> Kurt Kraut
>
> 2017-04-04 21:58 GMT-03:00 Christopher Morrow <morrowc.lists@gmail.com>:
>
>>
>>
>>> On Tue, Apr 4, 2017 at 6:47 PM, Kurt Kraut <listas@kurtkraut.net> wrote:
>>>
>>>
>>> I perform some PCAPs I many IP addresses belonged to Facebook. At first I
>>> thought: - 'Clever attacker. He guesses I could not be as severe as I am
>>> to
>>> regular UDP traffic if the origin was Facebook and he deliberately
>>> spoofed
>>> their IP address.'
>>>
>>> But one of my collegues quickly realized the incoming MAC ADDRESS was the
>>> actual Facebook router we have a peering at a internet exchange. So
>>> indeed
>>> the traffic came from their network.
>>>
>>
>> one wonders if this is the new (ish?) Streaming thingy they launched?
>>
>
>
