This could be spoofed packets attempting to do DDoS amplification against Facebook.
Was there ever DNS running behind the FW? Was it open? Or perhaps you have a dynamic IP, and someone else was? The attack works as follows I send a packet to you, pretending to be from Facebook. I request from you a DNS record that is probably large (ripe.net /any or isc.org/any are the classics people use) Your DNS Server responds to this request with the larger DNS record to Facebook who didn't ever request it in the first place. Attackers will run this against 1000's of machines they've scanned as being open resolvers and use them to amplify their ddos traffic. Ars Technica has a reasonable article on the attack here http://arstechnica.com/business/2012/03/how-anonymous-plans-to-use-dns-as-a-weapon/ Most people don't need to run Open Recursive DNS, but there's a lot of misconfigured boxes out thereā¦ -- David Crane Network Engineer Webfusion You. The Web. Connected. This email is subject to: http://www.corporate.webfusion.co.uk/disclaimer On 7 Aug 2012, at 14:15, Paul Mansfield wrote: > whilst checking DNS issues recently at home I observed my firewall > blocking packets to UDP:53 > > the packets were coming from a small number of IP addresses - see > appended - many are within facebook's blocks (according to ARIN > whois). > > I don't have any NS records which would cause anything to talk to my > home IP, so I find it very odd. > > has anyone else observed this, or can explain it? > > > thanks > Paul > > > some of these could be port scans, but the majority are dns requests > from facebook > > SRC=173.194.34.128 - google > SRC=207.38.104.92 - Federated Media Publishing Inc > SRC=217.10.68.152 - netzquadrat > SRC=217.10.68.174 > SRC=31.13.73.30 - facebook ireland > SRC=54.247.139.207 - amazon > SRC=66.220.146.230 - facebook > SRC=66.220.146.231 > SRC=66.220.146.232 > SRC=66.220.146.234 > SRC=66.220.146.252 > SRC=66.220.147.231 > SRC=66.220.149.229 > SRC=66.220.149.232 > SRC=66.220.149.233 > SRC=66.220.151.111 > SRC=66.220.151.114 > SRC=66.220.153.233 > SRC=66.220.155.106 > SRC=66.220.155.125 > SRC=66.220.158.231 > SRC=66.220.158.234 > SRC=66.220.158.253 > SRC=69.171.227.231 - facebook > SRC=69.171.227.232 > SRC=69.171.227.236 > SRC=69.171.227.241 > SRC=69.171.227.252 > SRC=69.171.228.231 > SRC=69.171.228.233 > SRC=69.171.229.229 > SRC=69.171.229.231 > SRC=69.171.229.232 > SRC=69.171.229.233 > SRC=69.171.240.242 > SRC=69.171.240.252 > SRC=69.171.241.241 > SRC=69.171.241.242 > SRC=69.171.242.232 > SRC=69.171.242.233 > SRC=69.171.243.241 > SRC=69.171.243.242 > SRC=69.175.126.170 - singlehop.net > SRC=69.63.177.93 - facebook > SRC=69.63.179.124 > SRC=69.63.179.22 > SRC=69.63.185.14 > SRC=69.63.188.92 > SRC=69.63.188.93 > SRC=69.63.189.230 > SRC=69.63.189.233 > SRC=69.63.190.234 > SRC=93.174.93.196 - ecatel.net > >
signature.asc
Description: Message signed with OpenPGP using GPGMail
