RIPE Network Coordination Centre
Pollution in 1.0.0.0/8
Or why having 1.2.3.4 might n...
RIPE Network Coordination Centre
Background
• Many networks filter unallocated address space (bogons)...
RIPE Network Coordination Centre
Debogon Project
• Mitigate issues surrounding new address space
- I...
RIPE Network Coordination Centre
Debogon Reports
• Combined yearly report for all /8s
Mark Dranse...
RIPE Network Coordination Centre
Debogon Tools
http://www.ris.ripe.net/cgi-bin/debog...
RIPE Network Coordination Centre
The 1.0.0.0/8 story
• “Reserved” since 1981
• Changed to “unallocate...
RIPE Network Coordination Centre
Measurement Setup
• RIS Remote Route Collector (rrc03.ripe.net)
- C...
RIPE Network Coordination Centre
27th January 2010
• Announcements began just before midday
- Instan...
RIPE Network Coordination Centre
RIS View
Mark Dranse APRICOT 2010 http://www.r...
RIPE Network Coordination Centre
RIS View
• 14 distinct ASes
• 26 prefixes
- /30 to /13
Mark D...
RIPE Network Coordination Centre
Some analysis
• 900k packet sample taken on 28th January
• Looked a...
RIPE Network Coordination Centre
Packet destinations
• Two busies...
RIPE Network Coordination Centre
Packet Sources
• 96,160 unique IP addresses
• 95% sent ≤ 10 packets...
RIPE Network Coordination Centre
Packet Sources
%
Year in which paren...
RIPE Network Coordination Centre
Packet Sources
%
Responsible RIR fo...
RIPE Network Coordination Centre
What was the traffic?
Mark Dranse APRICOT 2010 ...
RIPE Network Coordination Centre
What was the traffic?
• 80% UDP traffic ...
RIPE Network Coordination Centre
Feedback
• Give it to me!
• Don’t give it to me!
• Don’t give it ...
RIPE Network Coordination Centre
Further Research
• Comparison with other prefixes
• Announce for lon...
RIPE Network Coordination Centre
References
• RIPE Labs
- http://labs.ripe.net/content/pollution-18...
RIPE Network Coordination Centre
Questions?
Mark Dranse APRICOT 2010 http://www.ripe.ne...
of 21

Pollution in 1.0.0.0/8

Pollution in 1.0.0.0/8 Or why having 1.2.3.4 might not be that cool after all.... A presentation given by Mark Dranse and Franz Schwarzinger duriung the APRICOT 2010 meeting.
Published on: Mar 4, 2016
Published in: Technology      
Source: www.slideshare.net


Transcripts - Pollution in 1.0.0.0/8

  • 1. RIPE Network Coordination Centre Pollution in 1.0.0.0/8 Or why having 1.2.3.4 might not be that cool after all.... Mark Dranse <markd@ripe.net> and Franz Schwarzinger <franz@ripe.net> RIPE NCC Mark Dranse APRICOT 2010 http://www.ripe.net 1
  • 2. RIPE Network Coordination Centre Background • Many networks filter unallocated address space (bogons) - Some time passes • Unallocated addresses become allocated - Filters are not always well maintained - Freshly allocated space is not fully reachable • ISPs and users complain - RIRs get some of the blame Mark Dranse APRICOT 2010 http://www.ripe.net 2
  • 3. RIPE Network Coordination Centre Debogon Project • Mitigate issues surrounding new address space - Increase communications - Provide tools to measure and monitor reachability • Using existing RIS infrastructure since 2005 - Announce a few prefixes from new /8s - Provide target IPs for ping/traceroute - Measure reachability and produce graphs http://www.ris.ripe.net/debogon/ Mark Dranse APRICOT 2010 http://www.ripe.net 3
  • 4. RIPE Network Coordination Centre Debogon Reports • Combined yearly report for all /8s Mark Dranse APRICOT 2010 http://www.ripe.net 4
  • 5. RIPE Network Coordination Centre Debogon Tools http://www.ris.ripe.net/cgi-bin/debogon.cgi Mark Dranse APRICOT 2010 http://www.ripe.net 5
  • 6. RIPE Network Coordination Centre The 1.0.0.0/8 story • “Reserved” since 1981 • Changed to “unallocated” by IANA in 2008 • Allocated to APNIC in January 2010 ‘randomly’ - Added to the debogon report as usual • 1.255.0.0/16 • 1.50.0.0/22 - As a special experiment, we also announced: • 1.1.1.0/24 • 1.2.3.0/24 Mark Dranse APRICOT 2010 http://www.ripe.net 6
  • 7. RIPE Network Coordination Centre Measurement Setup • RIS Remote Route Collector (rrc03.ripe.net) - Connected to 3 Dutch IXPs • AMS-IX • NL-IX • GN-IX - AMS-IX port is 10 100 MBit/s - Outbound traffic via RIPE NCC network - About 100 active peers Mark Dranse APRICOT 2010 http://www.ripe.net 7
  • 8. RIPE Network Coordination Centre 27th January 2010 • Announcements began just before midday - Instantly maxed out our AMS-IX port Mark Dranse APRICOT 2010 http://www.ripe.net 8
  • 9. RIPE Network Coordination Centre RIS View Mark Dranse APRICOT 2010 http://www.ripe.net 9
  • 10. RIPE Network Coordination Centre RIS View • 14 distinct ASes • 26 prefixes - /30 to /13 Mark Dranse APRICOT 2010 http://www.ripe.net 10
  • 11. RIPE Network Coordination Centre Some analysis • 900k packet sample taken on 28th January • Looked at: - Sources - Destinations - Protocols Mark Dranse APRICOT 2010 http://www.ripe.net 11
  • 12. RIPE Network Coordination Centre Packet destinations • Two busiest destinations: - 90% of packets to 1.1.1.1 - 3.3% of packets to 1.2.3.4 Mark Dranse APRICOT 2010 http://www.ripe.net 12
  • 13. RIPE Network Coordination Centre Packet Sources • 96,160 unique IP addresses • 95% sent ≤ 10 packets • 33% sent 1 packet • 30% of packets from 23 IP addresses • 4.4% from 1 IP address • 90% from 43 /8s • 15% claims to originate from 10/8 Mark Dranse APRICOT 2010 http://www.ripe.net 13
  • 14. RIPE Network Coordination Centre Packet Sources % Year in which parent /8 was allocated Mark Dranse APRICOT 2010 http://www.ripe.net 14
  • 15. RIPE Network Coordination Centre Packet Sources % Responsible RIR for parent /8 Mark Dranse APRICOT 2010 http://www.ripe.net 15
  • 16. RIPE Network Coordination Centre What was the traffic? Mark Dranse APRICOT 2010 http://www.ripe.net 16
  • 17. RIPE Network Coordination Centre What was the traffic? • 80% UDP traffic • 20 %TCP traffic - 60% SIP INVITE (VoIP) scans * - 50% HTTP - 30% Media Gateway Protocol - 5.4% SMTP * Thanks to Sandro Gauci and others for pointing this out! Mark Dranse APRICOT 2010 http://www.ripe.net 17
  • 18. RIPE Network Coordination Centre Feedback • Give it to me! • Don’t give it to me! • Don’t give it to anyone! • How representative is this? - Is it just ‘normal’ background noise? - Isolated data point? Mark Dranse APRICOT 2010 http://www.ripe.net 18
  • 19. RIPE Network Coordination Centre Further Research • Comparison with other prefixes • Announce for longer - From a “real” network with high capacity • Collect more data - Don’t just analyse small samples Mark Dranse APRICOT 2010 http://www.ripe.net 19
  • 20. RIPE Network Coordination Centre References • RIPE Labs - http://labs.ripe.net/content/pollution-18 - http://labs.ripe.net/node/195 • Debogon Report - http://www.ris.ripe.net/debogon • APOPS list - http://archive.apnic.net/mailing-lists/apops/archive/2010/02/ • Reddit.com - http://www.reddit.com/r/programming/comments/axltd/ pollution_in_10008/ Mark Dranse APRICOT 2010 http://www.ripe.net 20
  • 21. RIPE Network Coordination Centre Questions? Mark Dranse APRICOT 2010 http://www.ripe.net 21

Related Documents