|
For the Billions out there still wasting time on Facebook: Enjoy your increased productivity while many Facebook properties (Facebook, Instagram, WhatsApp) are down.
Here is a quick view of what may have happened. 1 - Does facebook.com resolve? % host facebook.com facebook.com has address 31.13.79.35 facebook.com has IPv6 address 2a03:2880:f141:82:face:b00c:0:25de facebook.com mail is handled by 2560 smtpin.vvv.facebook.com. % host www.facebook.com www.facebook.com is an alias for star-mini.c10r.facebook.com. star-mini.c10r.facebook.com has address 31.13.88.35 star-mini.c10r.facebook.com has IPv6 address 2a03:2880:f138:83:face:b00c:0:25de Yes! (at least for me, it does). But was that just a cached response? Let's follow the DNS chain. 2. What is the NS record for facebook.com according to the .com zone? (abbreviated output)
3. Let's use one of these NS records % dig NS facebook.com @129.134.30.12 ; <<>> DiG 9.10.6 <<>> NS facebook.com @129.134.30.12 ;; global options: +cmd ;; connection timed out; no servers could be reached 4. So let's see why we can't reach these servers % traceroute 129.134.30.12 traceroute to 129.134.30.12 (129.134.30.12), 64 hops max, 52 byte packets 1 [redacted] 0.628 ms 0.159 ms 0.101 ms 2 [redacted] 2.333 ms 1.715 ms 1.706 ms 3 96.120.21.201 (96.120.21.201) 9.123 ms 10.691 ms 10.338 ms 4 96.110.66.37 (96.110.66.37) 9.254 ms 8.754 ms 10.311 ms 5 ae-13-ar02.westside.fl.jacksvil.comcast.net (68.86.168.1) 9.332 ms 11.930 ms 9.746 ms 6 be-33622-cs02.56marietta.ga.ibone.comcast.net (96.110.43.117) 23.797 ms 7 be-2112-pe12.56marietta.ga.ibone.comcast.net (96.110.33.178) 24.322 ms 8 * * * So Comcast doesn't know how to reach Facebook. Well... BGP should tell them 5. Let's check with a BGP Looking Glass show router bgp routes 129.134.0.0/16 ipv4 hunt =============================================================================== BGP Router ID:4.69.178.225 AS:3356 Local AS:3356 =============================================================================== Legend - Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid l - leaked, x - stale, > - best, b - backup, p - purge Origin codes : i - IGP, e - EGP, ? - incomplete =============================================================================== BGP IPv4 Routes =============================================================================== No Matching Entries Found. =============================================================================== So looks like the route is gone. Oh well. Enjoy while it lasts.
--- |
Johannes 4479 Posts ISC Handler Oct 4th 2021 |
| Thread locked Subscribe |
Oct 4th 2021 7 months ago |
|
Great post, would have been nice to include an example of the expected BGP looking glass response, but, good stuff. Thanks.
|
Anonymous |
| Quote |
Oct 4th 2021 7 months ago |
|
I probably should do a BGP looking glass diary one of these days.
|
Johannes 4479 Posts ISC Handler |
| Quote |
Oct 4th 2021 7 months ago |
|
Johannes, could you follow up with samples now that they are coming back online?
|
Taxmanhog 8 Posts |
| Quote |
Oct 4th 2021 7 months ago |
|
Partial current response
show route protocol bgp 129.134.0.0/16 detail inet.0: 978837 destinations, 4534922 routes (978704 active, 0 holddown, 50386 hidden) 129.134.0.0/17 (6 entries, 1 announced) *BGP Preference: 170/-87 Next hop type: Indirect, Next hop index: 0 Address: 0xb1f8e5c Next-hop reference count: 220325 Source: 4.69.182.167 Next hop type: Router, Next hop index: 11388 Next hop: 4.69.218.181 via ae0.11, selected Label element ptr: 0xae62f80 Label parent element ptr: 0x0 Label element references: 2 Label element child references: 1 Label element lsp id: 0 Session Id: 0x2e1 Protocol next hop: 4.69.182.167 Indirect next hop: 0xb114700 2097160 INH Session ID: 0x30f State: Local AS: 3356 Peer AS: 3356 Age: 1w6d 13:26:59 Metric: 100000 Metric2: 20 Validation State: unverified Task: BGP_3356.4.69.182.167+179 Announcement bits (5): 0-KRT 9-BGP_RT_Background 10-Resolve tree 4 11-RT 12-Resolve tree 5 AS path: 32934 I Communities: 3356:3 3356:86 3356:575 3356:666 3356:2006 3356:2016 3356:11222 3356:12189 3549:600 65000:64980 65000:64987 Accepted Localpref: 86 Router ID: 4.69.182.167 |
Johannes 4479 Posts ISC Handler |
| Quote |
Oct 4th 2021 7 months ago |
|
In case anyone was looking for a looking glass, Verizon provides one here: https://enterprise.verizon.com/why-verizon/looking-glass/.
Of course, there are lots of others: https://www.bgp4.as/looking-glasses Happy quiet day, all (with less social fog)... ;0) |
netizenden 1 Posts |
| Quote |
Oct 5th 2021 7 months ago |
|
May it be an attack ?
|
coolmann 1 Posts |
| Quote |
Oct 5th 2021 7 months ago |
|
Thanks Johannes, this is a really useful and clear breakdown. One quick question - was there any particular reason you opted to dig NS facebook.com @h.gtld-servers.net as opposed to any of the others? Thanks
|
Anonymous |
| Quote |
Oct 5th 2021 7 months ago |
|
Thank you Johannes for the troubleshooting details (and also for your great podcast series!)
Hard to see if it was part of an attack when the route just simply stopped to get advertised to provider, unless the Facebook edge routers went down due to DDoS or some other service denial attack. |
Anonymous |
| Quote |
Oct 5th 2021 7 months ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
