Facebook Outage: Yes, its DNS (sort of). A super quick analysis of what is going on.
For the Billions out there still wasting time on Facebook: Enjoy your increased productivity while many Facebook properties (Facebook, Instagram, WhatsApp) are down.
More readable summary of the analysis below: The BGP routes pointing traffic to Facebook's IP address space have been withdrawn. The Internet no longer knows where to find Facebook's IPs. One symptom is that DNS requests are failing. But this is just the result of Facebook hosting its DNS servers inside its own network. Even with working DNS (for example if you still have cached results), the IPs are currently not reachable
Here is a quick view of what may have happened.
1 - Does facebook.com resolve?
% host facebook.com facebook.com has address 31.13.79.35 facebook.com has IPv6 address 2a03:2880:f141:82:face:b00c:0:25de facebook.com mail is handled by 2560 smtpin.vvv.facebook.com. % host www.facebook.com www.facebook.com is an alias for star-mini.c10r.facebook.com. star-mini.c10r.facebook.com has address 31.13.88.35 star-mini.c10r.facebook.com has IPv6 address 2a03:2880:f138:83:face:b00c:0:25de
Yes! (at least for me, it does). But was that just a cached response? Let's follow the DNS chain.
2. What is the NS record for facebook.com according to the .com zone?
(abbreviated output)
% dig NS facebook.com @h.gtld-servers.net
;; AUTHORITY SECTION: facebook.com. 172800 IN NS a.ns.facebook.com. facebook.com. 172800 IN NS b.ns.facebook.com. facebook.com. 172800 IN NS c.ns.facebook.com. facebook.com. 172800 IN NS d.ns.facebook.com. ;; ADDITIONAL SECTION: a.ns.facebook.com. 172800 IN A 129.134.30.12 a.ns.facebook.com. 172800 IN AAAA 2a03:2880:f0fc:c:face:b00c:0:35 b.ns.facebook.com. 172800 IN A 129.134.31.12 b.ns.facebook.com. 172800 IN AAAA 2a03:2880:f0fd:c:face:b00c:0:35 c.ns.facebook.com. 172800 IN A 185.89.218.12 c.ns.facebook.com. 172800 IN AAAA 2a03:2880:f1fc:c:face:b00c:0:35 d.ns.facebook.com. 172800 IN A 185.89.219.12 d.ns.facebook.com. 172800 IN AAAA 2a03:2880:f1fd:c:face:b00c:0:35
3. Let's use one of these NS records
% dig NS facebook.com @129.134.30.12 ; <<>> DiG 9.10.6 <<>> NS facebook.com @129.134.30.12 ;; global options: +cmd ;; connection timed out; no servers could be reached
4. So let's see why we can't reach these servers
% traceroute 129.134.30.12 traceroute to 129.134.30.12 (129.134.30.12), 64 hops max, 52 byte packets 1 [redacted] 0.628 ms 0.159 ms 0.101 ms 2 [redacted] 2.333 ms 1.715 ms 1.706 ms 3 96.120.21.201 (96.120.21.201) 9.123 ms 10.691 ms 10.338 ms 4 96.110.66.37 (96.110.66.37) 9.254 ms 8.754 ms 10.311 ms 5 ae-13-ar02.westside.fl.jacksvil.comcast.net (68.86.168.1) 9.332 ms 11.930 ms 9.746 ms 6 be-33622-cs02.56marietta.ga.ibone.comcast.net (96.110.43.117) 23.797 ms 7 be-2112-pe12.56marietta.ga.ibone.comcast.net (96.110.33.178) 24.322 ms 8 * * *
So Comcast doesn't know how to reach Facebook. Well... BGP should tell them
5. Let's check with a BGP Looking Glass
show router bgp routes 129.134.0.0/16 ipv4 hunt =============================================================================== BGP Router ID:4.69.178.225 AS:3356 Local AS:3356 =============================================================================== Legend - Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid l - leaked, x - stale, > - best, b - backup, p - purge Origin codes : i - IGP, e - EGP, ? - incomplete =============================================================================== BGP IPv4 Routes =============================================================================== No Matching Entries Found. ===============================================================================
So looks like the route is gone. Oh well. Enjoy while it lasts.
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
| Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
Comments
Anonymous
Oct 4th 2021
3 years ago
Anonymous
Oct 4th 2021
3 years ago
Anonymous
Oct 4th 2021
3 years ago
show route protocol bgp 129.134.0.0/16 detail
inet.0: 978837 destinations, 4534922 routes (978704 active, 0 holddown, 50386 hidden)
129.134.0.0/17 (6 entries, 1 announced)
*BGP Preference: 170/-87
Next hop type: Indirect, Next hop index: 0
Address: 0xb1f8e5c
Next-hop reference count: 220325
Source: 4.69.182.167
Next hop type: Router, Next hop index: 11388
Next hop: 4.69.218.181 via ae0.11, selected
Label element ptr: 0xae62f80
Label parent element ptr: 0x0
Label element references: 2
Label element child references: 1
Label element lsp id: 0
Session Id: 0x2e1
Protocol next hop: 4.69.182.167
Indirect next hop: 0xb114700 2097160 INH Session ID: 0x30f
State:
Local AS: 3356 Peer AS: 3356
Age: 1w6d 13:26:59 Metric: 100000 Metric2: 20
Validation State: unverified
Task: BGP_3356.4.69.182.167+179
Announcement bits (5): 0-KRT 9-BGP_RT_Background 10-Resolve tree 4 11-RT 12-Resolve tree 5
AS path: 32934 I
Communities: 3356:3 3356:86 3356:575 3356:666 3356:2006 3356:2016 3356:11222 3356:12189 3549:600 65000:64980 65000:64987
Accepted
Localpref: 86
Router ID: 4.69.182.167
Anonymous
Oct 4th 2021
3 years ago
Of course, there are lots of others: https://www.bgp4.as/looking-glasses
Happy quiet day, all (with less social fog)... ;0)
Anonymous
Oct 5th 2021
3 years ago
Anonymous
Oct 5th 2021
3 years ago
Anonymous
Oct 5th 2021
3 years ago
Hard to see if it was part of an attack when the route just simply stopped to get advertised to provider, unless the Facebook edge routers went down due to DDoS or some other service denial attack.
Anonymous
Oct 5th 2021
3 years ago