On 20210915, at 19:25, Stephen Strowes <s@sdstrowes.co.uk> wrote:
On 9/15/21 11:32 AM, Jeroen Massar via ripe-atlas wrote:
Hi Folks,
Has anybody ever run a all-probe traceroute and then to detect any RFC1918 addresses in there? (though many probes will have locally some RFC1918)
Since probes are running measurements to many targets already, the full dataset will uncover a lot without having to run more measurements.
A quick query: https://gist.github.com/sdstrowes/e9d4a3c7c03dd1aafa3198333cc39ffa
Out of ~106M IPv4 traceroutes, this finds ~6M that contain 10.0.0.0/8 in an ICMP response more than 4 hops from the origin. That's not the smartest approach, but it's a good ballpark of what's in the data.
It'd be reasonably easy to take that and whittle it down to a set of probes and/or probe ASNs that see this. With more work it'd be possible to identify ASNs on the forward path as a strong hint (asymmetric routing to one side) of where these pass through.
Good one. Indeed, if one can go through the existing traceroute data, one would have the possibility to detect these. Any way we could automate this into a nice warning page along with the probability that an ASN is the cause of passing on RFC1918 (and thus likely not filtering at all)? Greets, Jeroen