On 9/15/21 11:32 AM, Jeroen Massar via ripe-atlas wrote:
Hi Folks,
Has anybody ever run a all-probe traceroute and then to detect any RFC1918 addresses in there? (though many probes will have locally some RFC1918)
Since probes are running measurements to many targets already, the full dataset will uncover a lot without having to run more measurements. A quick query: https://gist.github.com/sdstrowes/e9d4a3c7c03dd1aafa3198333cc39ffa Out of ~106M IPv4 traceroutes, this finds ~6M that contain 10.0.0.0/8 in an ICMP response more than 4 hops from the origin. That's not the smartest approach, but it's a good ballpark of what's in the data. It'd be reasonably easy to take that and whittle it down to a set of probes and/or probe ASNs that see this. With more work it'd be possible to identify ASNs on the forward path as a strong hint (asymmetric routing to one side) of where these pass through. S.
We got CAIDAs spoofer project, but that primarily afaik checks that by doing connections, not by checking ICMP returns.
I just saw towards 213.244.71.2 :
11 Bundle-Ether42.br03.mrs01.pccwbtn.net (63.223.38.78) 29.068 ms 29.301 ms 29.129 ms 12 Bundle-Ether41.br03.mrs01.pccwbtn.net (63.223.38.74) 31.462 ms 31.410 ms 31.459 ms 13 10.74.42.10 (10.74.42.10) 77.574 ms 63.222.97.82 (63.222.97.82) 73.651 ms 63.222.97.90 (63.222.97.90) 73.514 ms 14 10.74.42.129 (10.74.42.129) 82.789 ms * 10.74.19.29 (10.74.19.29) 78.695 ms 15 * * 10.74.25.22 (10.74.25.22) 78.914 ms 16 * * 10.74.25.22 (10.74.25.22) 78.875 ms 17 * * *
Which means the whole path till that IP was not doing any kind of RPF.... thus spoofing anything else would be possible too.
At least one could kick PCCW in this case... but likely there are others.
And as we are in 2021... a hall of shame might be appropriate...
Of course, one should also do that for IPv6; though I expect outside the stray ULA address (thank you apple; though they are fixing that ULA issue with homepods apparently) very little of it, though "meten is weten" (measuring is knowing).
Greets, Jeroen