nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Why would a Facebook device be sending Spi packets at home user ?

From: "Mr. James W. Laferriere" <babydr () baby-dragons com>
Date: Sun, 17 Mar 2013 14:34:08 -0800 (AKDT)
        Hello All ,
        Maybe I am missing (or have missed) something .

        Here is the log entry & dig & whois info .  Just kinda interested in info on this phenomenon .
I've received many SPI assoc. requests at my poor ol' router over the few years it's been online , Most of them are from S.E. Asia & few from Africa others from EU , But by & far most of them are USA based Webservers by their dig & whois info . A very small few are from org's such as FB . I usually just ignore these as some fluke or if I know a contact at the site I send them the info . 

 1 )    Is there an orginazation that is mapping unsecured ipsec boxen ?
 2 )    Has or is anyone else receiving attempts at establishing association ?
 3 )    Is anyone recording these or interested in keeping records ?
4 ) Anything elso I would be interested in along the lines of assoc. attempts & why they are being attempted ? 

                Tia ,  JimL


Mar 17 21:48:47.637: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=xx.yy.zz.aa, 
prot=50, spi=0xE3488400(3813180416), srcaddr=69.171.255.12


$ dig -x 69.171.255.12

; <<>> DiG 9.9.1-P3 <<>> -x 69.171.255.12
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36105
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;12.255.171.69.in-addr.arpa.    IN      PTR

;; AUTHORITY SECTION:
255.171.69.in-addr.arpa. 3600 IN SOA a.ns.facebook.com. dns.facebook.com. 1363497425 7200 1800 604800 3600 

;; Query time: 528 msec
;; SERVER: 199.33.245.55#53(199.33.245.55)
;; WHEN: Sun Mar 17 14:14:40 2013
;; MSG SIZE  rcvd: 112



$ whois 69.171.255.12
#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 69.171.255.12"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=69.171.255.12?showDetails=true&showARIN=false&ext=netref2 
#

NetRange:       69.171.224.0 - 69.171.255.255
CIDR:           69.171.224.0/19
OriginAS:       AS32934
NetName:        TFBNET3
NetHandle:      NET-69-171-224-0-1
Parent:         NET-69-0-0-0-0
NetType:        Direct Assignment
RegDate:        2010-08-05
Updated:        2012-02-24
Ref:            http://whois.arin.net/rest/net/NET-69-171-224-0-1

OrgName:        Facebook, Inc.
OrgId:          THEFA-3
Address:        1601 Willow Rd.
City:           Menlo Park
StateProv:      CA
PostalCode:     94025
Country:        US
RegDate:        2004-08-11
Updated:        2012-04-17
Ref:            http://whois.arin.net/rest/org/THEFA-3

OrgTechHandle: OPERA82-ARIN
OrgTechName:   Operations
OrgTechPhone:  +1-650-543-4800
OrgTechEmail:  noc () fb com
OrgTechRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

OrgAbuseHandle: OPERA82-ARIN
OrgAbuseName:   Operations
OrgAbusePhone:  +1-650-543-4800
OrgAbuseEmail:  noc () fb com
OrgAbuseRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
-- +------------------------------------------------------------------+ 
| James   W.   Laferriere | System    Techniques | Give me VMS     |
| Network&System Engineer | 3237     Holden Road |  Give me Linux  |
| babydr () baby-dragons com | Fairbanks, AK. 99709 |   only  on  AXP |
+------------------------------------------------------------------+
Previous By Date Next
Previous By Thread Next

Current thread: