Re: Facebook & Traceroute

[Christopher Morrow <morrowc.lists () gmail com>]

On Wed, Mar 9, 2016 at 10:53 PM, Sam Norris <Sam () sandiegobroadband com> wrote:
> Why does Facebook spoof the source IP address of the hop before this server?
> They spoof the source IP address that is performing the traceroute.
>
> 66.220.156.68
>
> ---
>  7  FACEBOOK-IN.ear1.Atlanta2.Level3.net (4.16.185.58)  51.736 ms  51.678 ms
> 52.075 ms
>  8  ae2.bb01.atl1.tfbnw.net (74.119.78.214)  51.636 ms  51.584 ms  51.720 ms
>  9  be36.bb01.frc3.tfbnw.net (31.13.26.199)  58.669 ms ae4.bb05.frc3.tfbnw.net
> (31.13.27.129)  61.085 ms ae16.bb06.frc3.tfbnw.net (74.119.76.117)  59.731 ms
> 10  ae5.bb04.iad3.tfbnw.net (31.13.26.57)  111.338 ms ae7.bb04.iad3.tfbnw.net
> (31.13.31.245)  110.007 ms  110.015 ms
> 11  ae9.dr07.ash3.tfbnw.net (31.13.29.29)  68.692 ms ae10.dr08.ash2.tfbnw.net
> (31.13.28.207)  67.846 ms ae12.dr08.ash3.tfbnw.net (31.13.29.191)  68.629 ms
> 12  * * *
> 13  * * *
> 14  8.25.38.1 (who)  68.571 ms  68.718 ms  68.132 ms
> 15  edge-star-mini-shv-07-ash4.facebook.com (66.220.156.68)  67.903 ms  67.752
> ms  68.071 ms
> ---
>
> Hop 14 is the source ip of the traceroute which is forged. This essentially
> makes hop 14 reply using the same ip for src and dst.

maybe their loadbalancer is a little wonky? (I don't see this in
traceroutes from a few places, but I also don't end up at IAD for
'www.facebook.com' traceroutes... here's my last 4 hops though to the
dest-ip you had:

.13.28.75)  0.597 ms ae0.dr08.ash2.tfbnw.net (31.13.26.235)  0.576 ms
 8  * * *
 9  * * *
10  * * *
11  edge-star-mini-shv-07-ash4.facebook.com (66.220.156.68)  0.774 ms
0.755 ms  0.701 ms