This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[atlas] All-Probe Traceroute + detect RFC1918 addresses

Previous message (by thread): [atlas] All-Probe Traceroute + detect RFC1918 addresses
Next message (by thread): [atlas] All-Probe Traceroute + detect RFC1918 addresses

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Stephen Strowes s at sdstrowes.co.uk
Wed Sep 15 19:25:42 CEST 2021

On 9/15/21 11:32 AM, Jeroen Massar via ripe-atlas wrote:
> Hi Folks,
>
> Has anybody ever run a all-probe traceroute and then to detect any RFC1918 addresses in there? (though many probes will have locally some RFC1918)


Since probes are running measurements to many targets already, the full 
dataset will uncover a lot without having to run more measurements.

A quick query: 
https://gist.github.com/sdstrowes/e9d4a3c7c03dd1aafa3198333cc39ffa

Out of ~106M IPv4 traceroutes, this finds ~6M that contain 10.0.0.0/8 in 
an ICMP response more than 4 hops from the origin. That's not the 
smartest approach, but it's a good ballpark of what's in the data.

It'd be reasonably easy to take that and whittle it down to a set of 
probes and/or probe ASNs that see this. With more work it'd be possible 
to identify ASNs on the forward path as a strong hint (asymmetric 
routing to one side) of where these pass through.


S.



>
> We got CAIDAs spoofer project, but that primarily afaik checks that by doing connections, not by checking ICMP returns.
>
> I just saw towards 213.244.71.2 :
>
> 11  Bundle-Ether42.br03.mrs01.pccwbtn.net (63.223.38.78)  29.068 ms  29.301 ms  29.129 ms
> 12  Bundle-Ether41.br03.mrs01.pccwbtn.net (63.223.38.74)  31.462 ms  31.410 ms  31.459 ms
> 13  10.74.42.10 (10.74.42.10)  77.574 ms 63.222.97.82 (63.222.97.82)  73.651 ms 63.222.97.90 (63.222.97.90)  73.514 ms
> 14  10.74.42.129 (10.74.42.129)  82.789 ms * 10.74.19.29 (10.74.19.29)  78.695 ms
> 15  * * 10.74.25.22 (10.74.25.22)  78.914 ms
> 16  * * 10.74.25.22 (10.74.25.22)  78.875 ms
> 17  * * *
>
> Which means the whole path till that IP was not doing any kind of RPF.... thus spoofing anything else would be possible too.
>
> At least one could kick PCCW in this case... but likely there are others.
>
> And as we are in 2021... a hall of shame might be appropriate...
>
>
> Of course, one should also do that for IPv6; though I expect outside the stray ULA address (thank you apple; though they are fixing that ULA issue with homepods apparently) very little of it, though "meten is weten" (measuring is knowing).
>
> Greets,
>   Jeroen
>
>

Previous message (by thread): [atlas] All-Probe Traceroute + detect RFC1918 addresses
Next message (by thread): [atlas] All-Probe Traceroute + detect RFC1918 addresses

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ ripe-atlas Archives ]