KickIdle.com Blog

I’ve been playing around with splunk lately, and one thing I’ve noticed is that I am getting a lot of pings from a certain range of IPs. I block inbound ping at my firewall, but this was so persistent I got a little curious. Here’s the log exerpt that piqued my interest:

Jan 23 2012 22:02:17 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.63.186.228 on interface outside
Jan 23 2012 22:02:17 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.63.186.228 on interface outside
Jan 23 2012 22:02:16 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.63.186.228 on interface outside
Jan 23 2012 21:55:05 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.171.228.232 on interface outside
Jan 23 2012 21:55:05 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.171.228.232 on interface outside
Jan 23 2012 21:55:04 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.171.228.232 on interface outside
Jan 23 2012 21:45:58 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.63.179.30 on interface outside

That’s the trimmed output, but you can see a bigger set of logs if you’re interested.

So just who are these persistent pingers?

whois 69.171.228.232
#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 69.171.228.232"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=69.171.228.232?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       69.171.224.0 - 69.171.255.255
CIDR:           69.171.224.0/19
OriginAS:       AS32934
NetName:        TFBNET3
NetHandle:      NET-69-171-224-0-1
Parent:         NET-69-0-0-0-0
NetType:        Direct Assignment
RegDate:        2010-08-05
Updated:        2010-10-15
Ref:            http://whois.arin.net/rest/net/NET-69-171-224-0-1

OrgName:        Facebook, Inc.
OrgId:          THEFA-3
Address:        1601 S. California Ave
City:           Palo Alto
StateProv:      CA
PostalCode:     94304
Country:        US
RegDate:        2004-08-11
Updated:        2011-09-24
Ref:            http://whois.arin.net/rest/org/THEFA-3

OrgTechHandle: OPERA82-ARIN
OrgTechName:   Operations
OrgTechPhone:  +1-650-543-4800
OrgTechEmail:  domain@facebook.com
OrgTechRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

OrgAbuseHandle: OPERA82-ARIN
OrgAbuseName:   Operations
OrgAbusePhone:  +1-650-543-4800
OrgAbuseEmail:  domain@facebook.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

whois 69.63.186.228
#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 69.63.186.228"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=69.63.186.228?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       69.63.176.0 - 69.63.191.255
CIDR:           69.63.176.0/20
OriginAS:       AS32934
NetName:        TFBNET2
NetHandle:      NET-69-63-176-0-1
Parent:         NET-69-0-0-0-0
NetType:        Direct Assignment
Comment:        Contact abuse@facebook.com with issues.
RegDate:        2007-02-07
Updated:        2010-07-08
Ref:            http://whois.arin.net/rest/net/NET-69-63-176-0-1

OrgName:        Facebook, Inc.
OrgId:          THEFA-3
Address:        1601 S. California Ave
City:           Palo Alto
StateProv:      CA
PostalCode:     94304
Country:        US
RegDate:        2004-08-11
Updated:        2011-09-24
Ref:            http://whois.arin.net/rest/org/THEFA-3

OrgTechHandle: OPERA82-ARIN
OrgTechName:   Operations
OrgTechPhone:  +1-650-543-4800
OrgTechEmail:  noc@fb.com
OrgTechRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

OrgAbuseHandle: OPERA82-ARIN
OrgAbuseName:   Operations
OrgAbusePhone:  +1-650-543-4800
OrgAbuseEmail:  noc@fb.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

RTechHandle: OPERA82-ARIN
RTechName:   Operations
RTechPhone:  +1-650-543-4800
RTechEmail:  noc@fb.com
RTechRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

RAbuseHandle: OPERA82-ARIN
RAbuseName:   Operations
RAbusePhone:  +1-650-543-4800
RAbuseEmail:  noc@fb.com
RAbuseRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

RNOCHandle: OPERA82-ARIN
RNOCName:   Operations
RNOCPhone:  +1-650-543-4800
RNOCEmail:  noc@fb.com
RNOCRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

As you can see, both ranges are owned by Facebook. So the question of the day… Why is Facebook ping scanning me?!? Get your guesses in now, because I’m going to email their abuse address and see what they say.

Testing linkage via ifttt.com.

Just a quick note about a new service I think lots of my friends might find useful – If This Then That. It’s a service that let’s you drag-n-drop connections between events online. I’m testing it out right now with the following rules I added:

1. If a new WordPress blog entry is posted, post a tweet to my Twitter account with the URL.
2. If a new WordPress blog entry is posted, post a tweet to my Facebook with the URL.

Those two rules look like this in their simple, graphical, rule builder:

The IfTTT Dashboard

And in the detailed task editor:

IfTTT Task Editor

I’m hoping this really simplifies the growing web of online services I use to communicate online! You can see the list of services they support on their website under the list of Channels. If you try it out, let me know how it works for you and what creative uses you find for it!