Saved in:
Bibliographic Details
Main Authors: Anghel, Radu, Lone, Qasim, Luckie, Matthew, Gañán, Carlos, Zhauniarovich, Yury
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2501.16805
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866915126319251456
author Anghel, Radu
Lone, Qasim
Luckie, Matthew
Gañán, Carlos
Zhauniarovich, Yury
author_facet Anghel, Radu
Lone, Qasim
Luckie, Matthew
Gañán, Carlos
Zhauniarovich, Yury
contents Spoofed traffic has been identified as one of the main issues of concern for network hygiene nowadays, as it facilitates Distributed Denial-of-Service (DDoS) attacks by hiding their origin and complicating forensic investigations. Some indicators of poor network hygiene are packets with Bogon or Martian source addresses representing either misconfigurations or spoofed packets. Despite the development of Source Address Validation (SAV) techniques and guidelines such as BCP 38 and BCP 84, Bogons are often overlooked in the filtering practices of network operators. This study uses traceroute measurements from the CAIDA Ark dataset, enriched with historical BGP routing information from RIPE RIS and RouteViews, to investigate the prevalence of Bogon addresses over seven years (2017-2023). Our analysis reveals widespread non-compliance with best practices, with Bogon traffic detected across thousands of ASes. Notably, 82.69%-97.83% of CAIDA Ark vantage points observe paths containing Bogon IPs, primarily RFC1918 addresses. Additionally, 19.70% of all analyzed traceroutes include RFC1918 addresses, while smaller proportions involve RFC6598 (1.50%) and RFC3927 (0.10%) addresses. We identify more than 13,000 unique ASes transiting Bogon traffic, with only 11.64% appearing in more than half of the measurements. Cross-referencing with the Spoofer project and MANRS initiatives shows a concerning gap: 62.67% of ASes that do not filter packets with Bogon sources are marked as non-spoofable, suggesting incomplete SAV implementation. Our contributions include an assessment of network hygiene using the transiting of Bogon packets as a metric, an analysis of the main types of Bogon addresses found in traceroutes, and several proposed recommendations to address the observed gaps, enforcing the need for stronger compliance with best practices to improve global network security.
format Preprint
id arxiv_https___arxiv_org_abs_2501_16805
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Martians Among Us: Observing Private or Reserved IPs on the Public Internet
Anghel, Radu
Lone, Qasim
Luckie, Matthew
Gañán, Carlos
Zhauniarovich, Yury
Networking and Internet Architecture
Spoofed traffic has been identified as one of the main issues of concern for network hygiene nowadays, as it facilitates Distributed Denial-of-Service (DDoS) attacks by hiding their origin and complicating forensic investigations. Some indicators of poor network hygiene are packets with Bogon or Martian source addresses representing either misconfigurations or spoofed packets. Despite the development of Source Address Validation (SAV) techniques and guidelines such as BCP 38 and BCP 84, Bogons are often overlooked in the filtering practices of network operators. This study uses traceroute measurements from the CAIDA Ark dataset, enriched with historical BGP routing information from RIPE RIS and RouteViews, to investigate the prevalence of Bogon addresses over seven years (2017-2023). Our analysis reveals widespread non-compliance with best practices, with Bogon traffic detected across thousands of ASes. Notably, 82.69%-97.83% of CAIDA Ark vantage points observe paths containing Bogon IPs, primarily RFC1918 addresses. Additionally, 19.70% of all analyzed traceroutes include RFC1918 addresses, while smaller proportions involve RFC6598 (1.50%) and RFC3927 (0.10%) addresses. We identify more than 13,000 unique ASes transiting Bogon traffic, with only 11.64% appearing in more than half of the measurements. Cross-referencing with the Spoofer project and MANRS initiatives shows a concerning gap: 62.67% of ASes that do not filter packets with Bogon sources are marked as non-spoofable, suggesting incomplete SAV implementation. Our contributions include an assessment of network hygiene using the transiting of Bogon packets as a metric, an analysis of the main types of Bogon addresses found in traceroutes, and several proposed recommendations to address the observed gaps, enforcing the need for stronger compliance with best practices to improve global network security.
title Martians Among Us: Observing Private or Reserved IPs on the Public Internet
topic Networking and Internet Architecture
url https://arxiv.org/abs/2501.16805