did facebook just DoS me?

Kurt Kraut listas at kurtkraut.net
Wed Apr 5 00:47:23 UTC 2017

Hello Mr. Mata,

I'd like to register you might not be the only one. At work, I deal with
DDoS on a daily basis. A pretty common UDP DDoS attack was hiting random
IPs of our autonomous system and I applied a bunch of rules to block it.
There rule had exceptions for content providers with high demand, like
Google, Facebook and Akamai. For my surprise, after I applied my DROP
rules, there was still a significant amount of traffic reaching the target

I perform some PCAPs I many IP addresses belonged to Facebook. At first I
thought: - 'Clever attacker. He guesses I could not be as severe as I am to
regular UDP traffic if the origin was Facebook and he deliberately spoofed
their IP address.'

But one of my collegues quickly realized the incoming MAC ADDRESS was the
actual Facebook router we have a peering at a internet exchange. So indeed
the traffic came from their network.

The UDP source IP address is not enough to drag to this conclusion, but the
MAC ADDRESS was very convincing to me.

Best regards,

Kurt Kraut

2017-04-03 19:46 GMT-03:00 Miguel Mata <mmata at intercom.com.sv>:

> Guys and gals,
> just received a DoS from supposedly Facebook. Any contact of way of
> getting in touch with
> them?
> Thanks.

More information about the NANOG mailing list