RIPE plays with 1.1.1.1 and 1.2.3.4 following APNIC allocation

By stretch | Friday, February 5, 2010 at 3:25 a.m. UTC

Last month, IANA allocated the 1.0.0.0/8 and 27.0.0.0/8 networks to APNIC (the Internet registry for the Asia-Pacific region), pushing the total IPv4 address space utilization above the ominous 90% mark. Passing this benchmark should not come as a surprise to anyone, given the painfully slow adoption of IPv6. But what's interesting about the first range in particular is the amount of junk traffic already present.

As part of an effort to de-bogonise this newly allocated address space, RIPE, in cooperation with APNIC, made some test advertisements to the global BGP table for several prefixes with 1.0.0.0/8. Specifically, these networks included 1.1.1.0/24 and 1.2.3.0/24. Why these networks? Because they contain the novel (and illegal) IPv4 addresses 1.1.1.1 and 1.2.3.4, of course.

Shortly after announcing the routes to the world, RIPE's RIS was flooded with over 50 Mbps of traffic destined for what is still an unallocated network; it should not appear on the global Internet.

The RIS RRC from which we announced 1.1.1.0/24 has connections to AMS-IX, NL-IX and GN-IX. The ... image shows the incoming traffic on the AMS-IX port (10 MBit), which was instantly maxed out, mostly by traffic coming towards 1.1.1.1. The AMS-IX sflow graphs suggested that all together our peers were trying to send us more than 50 MBit/s of traffic. Most of this traffic was dropped due to the 10 MBit limit of our AMS-IX port.

And of course, no routing experiment is complete without pretty charts:

destaddresses.png

traffictypes.png

Unfortunately, the current amount of pollution (unwanted traffic from the Internet) in the 1.1.1.0/24 and 1.2.3.0/24 prefixes makes them essentially useless and, to an extent, also devalues their less-specific parent prefixes. All because people can't follow simple standards.

About the Author

Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.

Posted in News

Comments


Andree (guest)
February 5, 2010 at 6:02 a.m. UTC

Also see: “Issues with allocating from 1.0.0.0/8” @ http://bgpmon.net/blog/?p=275


DanC
February 5, 2010 at 2:21 p.m. UTC

Very interesting!

"Another big portion of the packets sent towards 1.1.1.1 uses UDP port 2427 and 2727, which are part of the "Media Gateway Protocol". All of these packets seems to originate from one telecommunications provider and can probably be attributed to misconfigured VoIP equipment."

I wonder who that was then? :P

Keep up the good work stretch :)


Colby
February 5, 2010 at 2:50 p.m. UTC

I'll go remove my loopback0 now...


ianmprice
February 5, 2010 at 4:52 p.m. UTC

-On the phone- "No sir, we don't use 1.1.1.1 for any of our loopbacks" -type type type- "If you log in to the router you will see we only use IP's from the 10.0.0.0/8 network."


killabee
February 8, 2010 at 3:08 a.m. UTC

Very interesting article!!!! Thanks for sharing


Maxxfi (guest)
February 8, 2010 at 12:36 p.m. UTC

How can we dare IPv6 when somebody cannot follow some simple housekeeping rules in IPv4?

BTW: what's special with port 15206?


Andrew (guest)
February 8, 2010 at 9:20 p.m. UTC

I have a feeling a lot of 1.1.1.1 just comes from people farting around and testing things; not because they're actually intending to use/squat on that space. Inadvertently traffic gets out to the Internet.

Nevertheless, it's is interesting there's so much flotsam.


DanC
February 9, 2010 at 3:49 p.m. UTC

@ Maxxfi

"We found that almost 60% of the UDP packets are sent towards the IP address 1.1.1.1 on port 15206 which makes up the largest amount of packets seen by our RRC. Most of these packets start their data section with 0x80, continue with seemingly random data and are padded to 172 bytes with an (again seemingly random) 2 byte value. Some sources (http://www.proxyblind.org/trojan.shtml) list the port as being used by a trojan called "KiLo", however information about it seem sparse."

Taken from the RIPE Labs link within the artice ;-)


DrScriptt (guest)
February 10, 2010 at 11:46 p.m. UTC

Interesting.

What's equally interesting and somewhat sad is that the reverse path filtering that 'The Bogon Reference' (http://www.team-cymru.org/Services/Bogons/) would not catch this. :-(


beernabe
February 11, 2010 at 1:13 p.m. UTC

All the responsability to CISCO!! I remember some exercises in my CCNA with loopbacks 1.1.1.1 2.2.2.2 3.3.3.3 jajajaja


oliver
February 11, 2010 at 7:47 p.m. UTC

You mention RFC1918, good call. I notice that RFC5735 was released recently, which incorporates that plus the other special networks, such as ones for documentation, benchmark tests, and so on.

http://tools.ietf.org/html/rfc5735

HTH, oliver.


dtwins (guest)
October 20, 2012 at 3:21 a.m. UTC

Looks like 1.2.3.4 is used mostly for media streaming... Explaining the traffic on port 2427/2727.

Noticed the stream on http://partybus.com comming from http://1.2.3.4.

Comments have closed for this article due to its age.