The premiere source of truth powering network automation. Open and extensible, trusted by thousands.

NetBox is now available as a managed cloud solution! Stop worrying about your tooling and get back to building networks.

RIPE plays with and following APNIC allocation

By stretch | Friday, February 5, 2010 at 3:25 a.m. UTC

Last month, IANA allocated the and networks to APNIC (the Internet registry for the Asia-Pacific region), pushing the total IPv4 address space utilization above the ominous 90% mark. Passing this benchmark should not come as a surprise to anyone, given the painfully slow adoption of IPv6. But what's interesting about the first range in particular is the amount of junk traffic already present.

As part of an effort to de-bogonise this newly allocated address space, RIPE, in cooperation with APNIC, made some test advertisements to the global BGP table for several prefixes with Specifically, these networks included and Why these networks? Because they contain the novel (and illegal) IPv4 addresses and, of course.

Shortly after announcing the routes to the world, RIPE's RIS was flooded with over 50 Mbps of traffic destined for what is still an unallocated network; it should not appear on the global Internet.

The RIS RRC from which we announced has connections to AMS-IX, NL-IX and GN-IX. The ... image shows the incoming traffic on the AMS-IX port (10 MBit), which was instantly maxed out, mostly by traffic coming towards The AMS-IX sflow graphs suggested that all together our peers were trying to send us more than 50 MBit/s of traffic. Most of this traffic was dropped due to the 10 MBit limit of our AMS-IX port.

And of course, no routing experiment is complete without pretty charts:



Unfortunately, the current amount of pollution (unwanted traffic from the Internet) in the and prefixes makes them essentially useless and, to an extent, also devalues their less-specific parent prefixes. All because people can't follow simple standards.

Posted in News


February 5, 2010 at 6:02 a.m. UTC

Also see: “Issues with allocating from” @

February 5, 2010 at 2:21 p.m. UTC

Very interesting!

"Another big portion of the packets sent towards uses UDP port 2427 and 2727, which are part of the "Media Gateway Protocol". All of these packets seems to originate from one telecommunications provider and can probably be attributed to misconfigured VoIP equipment."

I wonder who that was then? :P

Keep up the good work stretch :)

February 5, 2010 at 2:50 p.m. UTC

I'll go remove my loopback0 now...

February 5, 2010 at 4:52 p.m. UTC

-On the phone- "No sir, we don't use for any of our loopbacks" -type type type- "If you log in to the router you will see we only use IP's from the network."

February 8, 2010 at 3:08 a.m. UTC

Very interesting article!!!! Thanks for sharing

February 8, 2010 at 12:36 p.m. UTC

How can we dare IPv6 when somebody cannot follow some simple housekeeping rules in IPv4?

BTW: what's special with port 15206?

February 8, 2010 at 9:20 p.m. UTC

I have a feeling a lot of just comes from people farting around and testing things; not because they're actually intending to use/squat on that space. Inadvertently traffic gets out to the Internet.

Nevertheless, it's is interesting there's so much flotsam.

February 9, 2010 at 3:49 p.m. UTC

@ Maxxfi

"We found that almost 60% of the UDP packets are sent towards the IP address on port 15206 which makes up the largest amount of packets seen by our RRC. Most of these packets start their data section with 0x80, continue with seemingly random data and are padded to 172 bytes with an (again seemingly random) 2 byte value. Some sources ( list the port as being used by a trojan called "KiLo", however information about it seem sparse."

Taken from the RIPE Labs link within the artice ;-)

February 10, 2010 at 11:46 p.m. UTC


What's equally interesting and somewhat sad is that the reverse path filtering that 'The Bogon Reference' ( would not catch this. :-(

February 11, 2010 at 1:13 p.m. UTC

All the responsability to CISCO!! I remember some exercises in my CCNA with loopbacks jajajaja

February 11, 2010 at 7:47 p.m. UTC

You mention RFC1918, good call. I notice that RFC5735 was released recently, which incorporates that plus the other special networks, such as ones for documentation, benchmark tests, and so on.

HTH, oliver.

October 20, 2012 at 3:21 a.m. UTC

Looks like is used mostly for media streaming... Explaining the traffic on port 2427/2727.

Noticed the stream on comming from

Comments have closed for this article due to its age.