I noticed an interesting thing with a certain visitor after posting a blog post to Facebook.
The IP address that the Facebook crawler uses to visit the site on callback to get meta-data has a custom IPv6 sub-range.
IPv6: 2a03:2880:ff:1a::face:b00c Host: fwdproxy-prn-026.fbsv.net
Notice 2a03:2880:ff:1a::face:b00c
How this is done
The IPv4 addresses could only use regular integers (decimal); numbers between 0 and 9.
However, IPv6 can use any and all hexadecimal; 0-9 and a-f.
This means that when allocating a sub-range, they chose the face
and b00c
as they are all greater or equal to a
and less than or equal to f
.
Closing remarks
If you know about, or see other companies that are doing something similar, please tell me about it!
I’m aware that I’m off-topic and below the general tech level here, sorry about that. But your page did come up when I searched, I also noted their face.booc pattern when searching Wordfence logs for people hotlinking my images.
Not that they’re that great, just nature photos, yet for some reason I’ve found whole websites with my hotlinked or slurped images surrounded by ads. Hope my humble post helps someone else resist the borgs.
Just in case someone needs the info and is searching, the Facebook IPv6 range is 2a03:2880::/29
Wordfence has a customisable range blocking facility and it accepted that instead of needing beginning and ending IP’s.
Nicely done! Thanks for updating your findings here! 🙂
I’d be interested in a post on how to calculate their IPV6 range so I can block it. Have a similar single IP from one of their users trying to hotlink my photos.
The one I have is 2a03:2880:23ff:d::face:b00c
What language are you using and what is your process for serving images?
I’m using WordPress on shared hosting. I was thinking of an entry for .htaccess or specifying a range in Wordfence.