18

Every few weeks I get an email (usually a very unpleasant one) or sometimes even a phone call from a Facebook user who believes that I am "hacking" their internet. They come to this conclusion after they end up on my site after entering www.facebook.com. Looking at my server logs, it seems like this happens to about 1 person per day from different IPs and service providers.

The HOST: header in their request does contain www.facebook.com as I can confirm from my server logs. At this point I believe the problem must lie in DNS. Somehow my IP ends up getting served for a www.facebook.com query. This must happen very infrequently otherwise I'd be seeing a lot more traffic from the problem. In fact, my site would be flattened if even a small fraction of Facebook users ended up there.

Any thoughts on the root cause of this? Anyone seen anything similar? At this point the only course of action I can think of is to create a special landing page for users requesting www.facebook.com from my server telling them to try again later.

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
Peter
  • 183
  • 4

6 Answers6

7

You've already answered your own question. "the problem must lie in DNS". Assuming you have no control over anybody else's DNS there's really nothing you can do about it, unless of course those visits are from somewhere within the network you do have control over.

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
  • 2
    I'd put in a 302 redirect to Facebook's site based on the headers. –  Nov 18 '10 at 00:16
  • 9
    If DNS is the problem, the 302 will simply create a redirect loop since the request will just come right back at me. A landing page may be the only solution. – Peter Nov 18 '10 at 00:36
  • @John Gardeniers How did you come to this conclusion? – Rob Olmos Nov 18 '10 at 01:52
  • 1
    @Rob, a DNS issue is the only thing I can think of that fits ALL the symptoms. – John Gardeniers Nov 18 '10 at 02:03
  • You could redirect to Facebook's site by IP. IP's don't need to be resolved by DNS servers. You could ping www.facebook.com from time to time to auto-adjust the target IP. – Scoregraphic Nov 18 '10 at 08:56
  • Sending a message to Facebook sysadmin (as said by r0h4n) and giving a warning to facebook users explaining the situation seems something that "can" be done. – Benoit Nov 19 '10 at 16:03
  • @Benoit, yes that can de done but that's not doing anything about the problem, only the symptom. – John Gardeniers Nov 20 '10 at 09:17
7

You Should report this to facebook, Since this is not your problem. It is the problem of DNS configs for Facebook.com domain, which is not under your administration.

Facebook must be dynamically generating dns records for load balancing, And your IP must fall near Facebook's subnet. You can change your IP if this is a problem to you.

Rohan
  • 366
  • 1
  • 6
  • 1
    Not a bad theory, but not necessarily true either. Some subnet (say, a university, or a smaller ISP) might be mucking with the DNS records in a similar way. – Paul McMillan Nov 18 '10 at 08:59
3

There are two likely sources for this DNS misdirection:

  1. Someone futzing with DNS packets (look up "Golden Shield Project")

  2. Messed up "hosts" files on clients as a result of malware infection

I can't tell without more information, though. What client addresses are you seeing, for example? What's your IP address. If you can't share publicly, contact me offline. I'm a DNS researcher, not too hard to find - look for the ServerFault answers where I've mentioned particular RFCs I've written ;-)

Alnitak
  • 20,901
  • 3
  • 48
  • 81
  • 1
    I'd be very interested in the resolution of this too. Post back when you figure out what's going on. – Paul McMillan Nov 18 '10 at 09:00
  • Now there's a distinct possibility! Some malware messes with people's hosts file, and the IP of this guy's server used to be the IP of a phishing site at one point in time. So people who get infected and go to www.facebook.com end up at his site; this would explain why he only get a few here and there. – Chris S Nov 19 '10 at 16:16
1

if at all possible see if yhou csan get the folks complaining to tell you their dns server name. Maybe then you can track down the DNS servers causing the issue.

Jim B
  • 23,938
  • 4
  • 35
  • 58
0

Search your domain over multiple search engines see what you get. Don't forget obscure ones.

I assume your domain might be linked to facebook on some search engine and when facebook is misspelled they are redirected to you. Is your domain similar with facebook's?

Ask next guy that calls you about: browser, toolbars and default search engine.

Ask them to do a malware scan.

Also, it would be interesting to find from when you are using that IP and if it's hosted by you or it is owned by an ISP.

Paul
  • 1,837
  • 1
  • 11
  • 15
0

There is also another possible explanation.

I used to have an ADSL router that occasionally would fail by corrupting the routing information for the internet address that I was spending a packet to at that particular point in time. It was not DNS level, as this problem appeared with IP addresses as well. Doing traceroutes on the IP addresses gave some very strange answers with the routes going to different places each time. This problem could be resolved by power cycling the ADSL router, and then remained fixed for a couple of months before repeating.

Solved it by buying a new ADSL router.

Michael Shaw
  • 663
  • 4
  • 9
  • This might be possible if people were constantly going to random site. But for a router to constantly corrupt packets in the same way seems extraordinarily unlikely. – Chris S Nov 19 '10 at 16:18
  • there is no evidence that the packets are always corrupted the same way, only that sometimes they are corrupted to go to this persons IP address. Most websites are on shared servers, so the user would see a blank page. – Michael Shaw Nov 19 '10 at 16:31