RIPE plays with 220.127.116.11 and 18.104.22.168 following APNIC allocation
By stretch | Friday, February 5, 2010 at 3:25 a.m. UTC
Last month, IANA allocated the 22.214.171.124/8 and 126.96.36.199/8 networks to APNIC (the Internet registry for the Asia-Pacific region), pushing the total IPv4 address space utilization above the ominous 90% mark. Passing this benchmark should not come as a surprise to anyone, given the painfully slow adoption of IPv6. But what's interesting about the first range in particular is the amount of junk traffic already present.
As part of an effort to de-bogonise this newly allocated address space, RIPE, in cooperation with APNIC, made some test advertisements to the global BGP table for several prefixes with 188.8.131.52/8. Specifically, these networks included 184.108.40.206/24 and 220.127.116.11/24. Why these networks? Because they contain the novel (and illegal) IPv4 addresses 18.104.22.168 and 22.214.171.124, of course.
Shortly after announcing the routes to the world, RIPE's RIS was flooded with over 50 Mbps of traffic destined for what is still an unallocated network; it should not appear on the global Internet.
The RIS RRC from which we announced 126.96.36.199/24 has connections to AMS-IX, NL-IX and GN-IX. The ... image shows the incoming traffic on the AMS-IX port (10 MBit), which was instantly maxed out, mostly by traffic coming towards 188.8.131.52. The AMS-IX sflow graphs suggested that all together our peers were trying to send us more than 50 MBit/s of traffic. Most of this traffic was dropped due to the 10 MBit limit of our AMS-IX port.
And of course, no routing experiment is complete without pretty charts:
Unfortunately, the current amount of pollution (unwanted traffic from the Internet) in the 184.108.40.206/24 and 220.127.116.11/24 prefixes makes them essentially useless and, to an extent, also devalues their less-specific parent prefixes. All because people can't follow simple standards.
About the Author
Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.
Posted in News
February 5, 2010 at 6:02 a.m. UTC
Also see: “Issues with allocating from 18.104.22.168/8” @ http://bgpmon.net/blog/?p=275
February 5, 2010 at 2:21 p.m. UTC
"Another big portion of the packets sent towards 22.214.171.124 uses UDP port 2427 and 2727, which are part of the "Media Gateway Protocol". All of these packets seems to originate from one telecommunications provider and can probably be attributed to misconfigured VoIP equipment."
I wonder who that was then? :P
Keep up the good work stretch :)
February 5, 2010 at 2:50 p.m. UTC
I'll go remove my loopback0 now...
February 5, 2010 at 4:52 p.m. UTC
-On the phone- "No sir, we don't use 126.96.36.199 for any of our loopbacks" -type type type- "If you log in to the router you will see we only use IP's from the 10.0.0.0/8 network."
February 8, 2010 at 3:08 a.m. UTC
Very interesting article!!!! Thanks for sharing
February 8, 2010 at 12:36 p.m. UTC
How can we dare IPv6 when somebody cannot follow some simple housekeeping rules in IPv4?
BTW: what's special with port 15206?
February 8, 2010 at 9:20 p.m. UTC
I have a feeling a lot of 188.8.131.52 just comes from people farting around and testing things; not because they're actually intending to use/squat on that space. Inadvertently traffic gets out to the Internet.
Nevertheless, it's is interesting there's so much flotsam.
February 9, 2010 at 3:49 p.m. UTC
"We found that almost 60% of the UDP packets are sent towards the IP address 184.108.40.206 on port 15206 which makes up the largest amount of packets seen by our RRC. Most of these packets start their data section with 0x80, continue with seemingly random data and are padded to 172 bytes with an (again seemingly random) 2 byte value. Some sources (http://www.proxyblind.org/trojan.shtml) list the port as being used by a trojan called "KiLo", however information about it seem sparse."
Taken from the RIPE Labs link within the artice ;-)
February 10, 2010 at 11:46 p.m. UTC
What's equally interesting and somewhat sad is that the reverse path filtering that 'The Bogon Reference' (http://www.team-cymru.org/Services/Bogons/) would not catch this. :-(
February 11, 2010 at 1:13 p.m. UTC
All the responsability to CISCO!! I remember some exercises in my CCNA with loopbacks 220.127.116.11 18.104.22.168 22.214.171.124 jajajaja
February 11, 2010 at 7:47 p.m. UTC
You mention RFC1918, good call. I notice that RFC5735 was released recently, which incorporates that plus the other special networks, such as ones for documentation, benchmark tests, and so on.
October 20, 2012 at 3:21 a.m. UTC
Looks like 126.96.36.199 is used mostly for media streaming... Explaining the traffic on port 2427/2727.
Noticed the stream on http://partybus.com comming from http://188.8.131.52.