On Wed, Mar 9, 2016 at 10:53 PM, Sam Norris <s...@sandiegobroadband.com> wrote: > Why does Facebook spoof the source IP address of the hop before this server? > They spoof the source IP address that is performing the traceroute. > > 66.220.156.68 > > --- > 7 FACEBOOK-IN.ear1.Atlanta2.Level3.net (4.16.185.58) 51.736 ms 51.678 ms > 52.075 ms > 8 ae2.bb01.atl1.tfbnw.net (74.119.78.214) 51.636 ms 51.584 ms 51.720 ms > 9 be36.bb01.frc3.tfbnw.net (31.13.26.199) 58.669 ms ae4.bb05.frc3.tfbnw.net > (31.13.27.129) 61.085 ms ae16.bb06.frc3.tfbnw.net (74.119.76.117) 59.731 ms > 10 ae5.bb04.iad3.tfbnw.net (31.13.26.57) 111.338 ms ae7.bb04.iad3.tfbnw.net > (31.13.31.245) 110.007 ms 110.015 ms > 11 ae9.dr07.ash3.tfbnw.net (31.13.29.29) 68.692 ms ae10.dr08.ash2.tfbnw.net > (31.13.28.207) 67.846 ms ae12.dr08.ash3.tfbnw.net (31.13.29.191) 68.629 ms > 12 * * * > 13 * * * > 14 8.25.38.1 (who) 68.571 ms 68.718 ms 68.132 ms > 15 edge-star-mini-shv-07-ash4.facebook.com (66.220.156.68) 67.903 ms 67.752 > ms 68.071 ms > --- > > Hop 14 is the source ip of the traceroute which is forged. This essentially > makes hop 14 reply using the same ip for src and dst.
maybe their loadbalancer is a little wonky? (I don't see this in traceroutes from a few places, but I also don't end up at IAD for 'www.facebook.com' traceroutes... here's my last 4 hops though to the dest-ip you had: .13.28.75) 0.597 ms ae0.dr08.ash2.tfbnw.net (31.13.26.235) 0.576 ms 8 * * * 9 * * * 10 * * * 11 edge-star-mini-shv-07-ash4.facebook.com (66.220.156.68) 0.774 ms 0.755 ms 0.701 ms
