Facebook Servers Pinging Home Users?

I’ve been playing around with splunk lately, and one thing I’ve noticed is that I am getting a lot of pings from a certain range of IPs. I block inbound ping at my firewall, but this was so persistent I got a little curious. Here’s the log exerpt that piqued my interest:



Jan 23 2012 22:02:17 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.63.186.228 on interface outside
Jan 23 2012 22:02:17 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.63.186.228 on interface outside
Jan 23 2012 22:02:16 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.63.186.228 on interface outside
Jan 23 2012 21:55:05 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.171.228.232 on interface outside
Jan 23 2012 21:55:05 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.171.228.232 on interface outside
Jan 23 2012 21:55:04 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.171.228.232 on interface outside
Jan 23 2012 21:45:58 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.63.179.30 on interface outside

That’s the trimmed output, but you can see a bigger set of logs if you’re interested.

So just who are these persistent pingers?



whois 69.171.228.232
#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 69.171.228.232"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=69.171.228.232?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       69.171.224.0 - 69.171.255.255
CIDR:           69.171.224.0/19
OriginAS:       AS32934
NetName:        TFBNET3
NetHandle:      NET-69-171-224-0-1
Parent:         NET-69-0-0-0-0
NetType:        Direct Assignment
RegDate:        2010-08-05
Updated:        2010-10-15
Ref:            http://whois.arin.net/rest/net/NET-69-171-224-0-1

OrgName:        Facebook, Inc.
OrgId:          THEFA-3
Address:        1601 S. California Ave
City:           Palo Alto
StateProv:      CA
PostalCode:     94304
Country:        US
RegDate:        2004-08-11
Updated:        2011-09-24
Ref:            http://whois.arin.net/rest/org/THEFA-3

OrgTechHandle: OPERA82-ARIN
OrgTechName:   Operations
OrgTechPhone:  +1-650-543-4800
OrgTechEmail:  domain@facebook.com
OrgTechRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

OrgAbuseHandle: OPERA82-ARIN
OrgAbuseName:   Operations
OrgAbusePhone:  +1-650-543-4800
OrgAbuseEmail:  domain@facebook.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#



whois 69.63.186.228
#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 69.63.186.228"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=69.63.186.228?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       69.63.176.0 - 69.63.191.255
CIDR:           69.63.176.0/20
OriginAS:       AS32934
NetName:        TFBNET2
NetHandle:      NET-69-63-176-0-1
Parent:         NET-69-0-0-0-0
NetType:        Direct Assignment
Comment:        Contact abuse@facebook.com with issues.
RegDate:        2007-02-07
Updated:        2010-07-08
Ref:            http://whois.arin.net/rest/net/NET-69-63-176-0-1

OrgName:        Facebook, Inc.
OrgId:          THEFA-3
Address:        1601 S. California Ave
City:           Palo Alto
StateProv:      CA
PostalCode:     94304
Country:        US
RegDate:        2004-08-11
Updated:        2011-09-24
Ref:            http://whois.arin.net/rest/org/THEFA-3

OrgTechHandle: OPERA82-ARIN
OrgTechName:   Operations
OrgTechPhone:  +1-650-543-4800
OrgTechEmail:  noc@fb.com
OrgTechRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

OrgAbuseHandle: OPERA82-ARIN
OrgAbuseName:   Operations
OrgAbusePhone:  +1-650-543-4800
OrgAbuseEmail:  noc@fb.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

RTechHandle: OPERA82-ARIN
RTechName:   Operations
RTechPhone:  +1-650-543-4800
RTechEmail:  noc@fb.com
RTechRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

RAbuseHandle: OPERA82-ARIN
RAbuseName:   Operations
RAbusePhone:  +1-650-543-4800
RAbuseEmail:  noc@fb.com
RAbuseRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

RNOCHandle: OPERA82-ARIN
RNOCName:   Operations
RNOCPhone:  +1-650-543-4800
RNOCEmail:  noc@fb.com
RNOCRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

As you can see, both ranges are owned by Facebook. So the question of the day… Why is Facebook ping scanning me?!? Get your guesses in now, because I’m going to email their abuse address and see what they say. 😉