Facebook rendered spineless by buggy audit code that missed catastrophic network config error

Not likely but possible or it was hackers.

https://www.businessinsider.com/facebook-outage-likely-not-linked-whistleblower-claims-hearing-frances-haugen-2021-10

Too bad their security wasn't better

If the DNS error had permanently locked them out of remote and physical access with no way around it they'd have to close down their business and we'd all be better off!

Out of band management?

One thing that stunned me about this is that they needed physical access to their data centres to resolve the issue. Has nobody at Facebook ever heard of out of band management?

You'd think that a company as big as Facebook could afford to chuck in some off net connections to their DCs for the purposes of device management. I remember the days when we used to have a dial up modern connection to the console port of each of our core routers and switches. Maybe things have moved on a bit since then, but that sort of setup would have saved them a lot of time. There's virtually nothing you can do locally that you couldn't do with a console port connection.

locked out by their own system

I have a mental image of a team of Facebook engineers having to sneak in through the data center ventilation ducts, then having to dodge a grid of high-energy laser beams, and then having to fend off a horde of drones while one of their team hastily sets up thermite charges on the door to the security system AI, the whole scene lit by flashing red lights and with a background of blaring sirens and a synthesized voice repeating "Warning! Intruders detected! Lethal countermeasures deployed!"

Some people

Are they still saying that "some people" were affected? Technically accurate but totally misleading!

'interesting'

Janardhan said he found it "interesting" to see how Facebook's security measures "slowed us down as we tried to recover from an outage caused not by malicious activity, but an error of our own making."

Way to go with the positive spin. If he really found it so 'interesting', he's in the wrong job.

These failure scenarios are logically predicatable. If humans can't be arsed, then use AI to suggest such scenarios. Virtual networks can then model and test such scenarios.

Why are people like Janardhan failing do that? That is their job. And they should be kicked out when these things fail.

Them saying 'Oh well, the tech teched the tech, with the unexpected result that backup tool tech failed to tech the tech...' is not good enough anymore.

With thanks to - Charlie Stross.

BTW, I detest FB too, like any sane person.

And I thought...

... that FB asked their AI to find the most reliable way to stop the spread of FAKE NEWS(TM)... And that the AI, uncharacteristically, worked...

Spineless?

I wasn't aware that slimy pond dwellers had any vertebrae, many nematodes are parasitic and can suck blood or damage vital organs such as brain tissue.

Network engineering or network winging it?

"reports of employees' door keycards not even working on Facebook's campuses during the downtime let alone internal diagnosis and collaboration tools, hampering recovery"

Two omissions are apparent: [1] functional network segregation (or the door cards would have still worked); [2] redundancy (no comment needed).

When any system (be it an organisation or a technology setup) reaches a critical size, control is commonly lost. The solution is segmentation, so each element is below critical size and each can operate (at least at baseline) autonomously in emergency.

That's more expensive to implement that chucking everything onto one huge pile, but it's safer and ultimately cheaper to keep running..

... why are Facebook hosting both their primary and secondary DNS?

What even is the fucking point of a secondary dns resolver, if it's on the same network? Just fucking pay someone else a few thousand dollars a year to host it and this never would have happened

I've had 2 I can think of:

- Generator in a room in a building with 3 card-key access doors which lock automatically if the power is lost. We lost power, the generator did not start (it was actually faulty and waiting for a new part so wouldn't automatically spin up on a power failure) and the UPS failed rather dramatically. So we had to kick the doors down to get to the generator room to start the generator (with a screwdriver)!

- Callout for Y2K (yes, I am old). Phone company using phones on their own network for callout (which isn't going to help if the phone network went down). Luckily nothing major broke, but I had a laugh when I raised it in one of the many meetings and then showed off my shiny new phone from another operator (though to be fair this was really because they were dragging their heals about providing any sort of phone for callout, and I needed a phone anyway).

Fun times!

Quis audit auditors - or something like that.

Some sympathy

We read many tales of security loopholes.

For example, operations staff using the fire exit at night to avoid all the hassle with the front doors.

A very secure data centre probably wouldn't have easily accessible out of band access because that could be a major vulnerability.

However I assume that they are now trying to make emergency access a little easier withou compromising security.

Wishing it went down permanently

I can't have been the only one wishing it never came back up. I don't remember thinking that about any other big outage of any system before.

The world would be a better place without Facebook.

Thanks Santosh

I am no fan of (or user of) Facebook - I wish they were replaced with a competing infrastructure of small companies, for those who care about social media at all. However, I want to acknowledge and thank Santosh Janardhan for providing some details very quickly. And Simon, of course, for writing it up.

I feel some companies (including most of the big telcos) would have said nothing at all by this stage.

I hope Santosh will feel that he can authorise his people to continue to provide information about this outage that we can all learn from.

automated BOFH?

"During one of these routine maintenance jobs, a command was issued with the intention to assess the availability of global backbone capacity, which unintentionally took down all the connections in our backbone network, effectively disconnecting Facebook data centers globally."

FB tech: "hey AutoBOFH, how much capacity is available on the 1Gig backbone_link_AQ3543?"

AutoBOFH: "122Mbps"

FB Tech: "could you increase the available capacity, pretty please? I really need more bandwidth on that link"

AutoBOFH: "Shure thing" <CLICKETY> "You now have 1 Gbps of available bandwidth".

FB Tech: "Oh wow, thank you! Hey, how'd you double my bandwidth so quickly?"

AutoBOFH "Double? No, I just kicked off a process that will end up dropping all BGP routes. That will clear all the traffic off of that link".

The VoIP traffic held up just long enough to hear the tech start begging for a configuration restoration as he realized the impending outage would result in a quick career change once the tail lead back to his request.

No ad income for HOURS -- OMG!

How will Emperor Mark survive?

Sadly we will see more of this in the future. 'network engineers' nowadays are increasingly managing (virtual) networks via GUI with little to no understanding of routing and switching. Same with infosec - too much abstraction is basically turning IT staff in to the Eloi.

I get virtualisation and automation is good, but someone has to understand the underlying hardware and protocols. Those people are retiring or getting out of the game. It'll be an interesting 5-7 years.

Sad things:

1. They fixed it.

2. It's apparently a rare event.

3. They hope to learn from it to avoid repetition.

Unfortunately it didn't take Twitter down with it, or we might have had a moment where the world really took a breath. Imagine if Facebook held a restart party and nobody came.

Which level of the inferno is reserved for Zuckerberg and Dorsey, I wonder?