IPs in the facebook.com domain accessing OpenSBD firewall

2012-05-17 Thread Siju George 
Hi,

This traffic is blocked on the external interface of the firewall.

May 17 11:34:56.013614 rule 7/(match) block in on em1:
66.220.151.124.47369  xxx.yyy.ddd.zzz.53: 58106 NS? . (19)
May 17 11:34:56.763086 rule 7/(match) block in on em1:
66.220.151.124.47369  xxx.yyy.ddd.zzz.53: 58107 NS? . (19)
May 17 11:34:57.513318 rule 7/(match) block in on em1:
66.220.151.124.47369  xxx.yyy.ddd.zzz.53: 58108 NS? . (19)

May 17 11:45:37.720155 rule 7/(match) block in on em1: 69.171.243.241
 xxx.yyy.ddd.zzz: icmp: echo request
May 17 11:45:39.213492 rule 7/(match) block in on em1:
69.171.243.241.52370  xxx.yyy.ddd.zzz.53: 33246 NS? . (19)

May 17 11:49:39.746886 rule 7/(match) block in on em1: 69.171.228.232
 xxx.yyy.ddd.zzz: icmp: echo request
May 17 11:49:41.242588 rule 7/(match) block in on em1:
69.171.228.232.59470  xxx.yyy.ddd.zzz.53: 33554 NS? . (19)

xxx.yyy.ddd.zzz  is our firewall IP

66.220.151.124, 69.171.243.241, 69.171.228.232 are IPs from
facebook.com domain as ip2location reports.


Why should facebook servers access my firewall?
They ping my firewall and try to use our internal DNS server DNS
server which is not mentioned in any public NS record?
I wonder if these machines in the facebook.com domain are infected
with some malware bots?
Oris it part of their security checks or something? Any body any idea?

Thanks

Siju

Re: IPs in the facebook.com domain accessing OpenSBD firewall

2012-05-17 Thread Pavel Shvagirev 
Most likely that someone posted a link to a resource in your domain, and
your DNS appears to be an authoritative for that zone. Sounds quite
realistic. There on facebook might be some kind of parser trying to
retreive a preview for the link or something similar...

Anyway, have a look at the DNS server's logs - what exactly do they
whant from you? =)

.. or Zuckerberg must become bored to death =)


17.05.2012 15:50, Siju George P=P0P?P8QP0P;:
 Why should facebook servers access my firewall?

-- 
Best regards,
Pavel Shvagirev
skype: pavel.shvagirev

Re: IPs in the facebook.com domain accessing OpenSBD firewall

2012-05-17 Thread Peter Laufenberg 
I wonder if these machines in the facebook.com domain are infected
with some malware bots?

Facebook *is* a malware bot:)

Let the request through and log what it tries to do next, this could be quite a 
story.

-- p

Re: IPs in the facebook.com domain accessing OpenSBD firewall

2012-05-17 Thread Pavel Shvagirev 
Didn't take into account that you do not publish the DNS. That fact
makes my assumption wrong.
Really, go and log the requests! =)

17.05.2012 15:50, Siju George P=P0P?P8QP0P;:
 This traffic is blocked on the external interface of the firewall.

-- 
Best regards,
Pavel Shvagirev
skype: pavel.shvagirev

Re: IPs in the facebook.com domain accessing OpenSBD firewall

2012-05-17 Thread Jonathan Gray 
http://meetings.ripe.net/ripe-52/presentations/ripe52-plenary-dnsamp.pdf

Re: IPs in the facebook.com domain accessing OpenSBD firewall

2012-05-17 Thread Siju George 
On Thu, May 17, 2012 at 7:31 PM, Jonathan Gray j...@jsg.id.au wrote:
 http://meetings.ripe.net/ripe-52/presentations/ripe52-plenary-dnsamp.pdf


Thankyou so much :-)

Siju