Martians Among Us: Observing Private or Reserved IPs on the Public Internet

TL;DR

This study investigates the widespread presence of Bogon IP addresses in Internet traffic over seven years, revealing poor compliance with best practices and highlighting the need for improved network hygiene and source address validation.

Contribution

It provides a comprehensive analysis of Bogon address prevalence using traceroute data and BGP info, and offers recommendations to enhance network security practices.

Findings

High prevalence of Bogon IPs across thousands of ASes.

Majority of Bogon traffic involves RFC1918 addresses.

Significant gap in source address validation implementation.

Abstract

Spoofed traffic has been identified as one of the main issues of concern for network hygiene nowadays, as it facilitates Distributed Denial-of-Service (DDoS) attacks by hiding their origin and complicating forensic investigations. Some indicators of poor network hygiene are packets with Bogon or Martian source addresses representing either misconfigurations or spoofed packets. Despite the development of Source Address Validation (SAV) techniques and guidelines such as BCP 38 and BCP 84, Bogons are often overlooked in the filtering practices of network operators. This study uses traceroute measurements from the CAIDA Ark dataset, enriched with historical BGP routing information from RIPE RIS and RouteViews, to investigate the prevalence of Bogon addresses over seven years (2017-2023). Our analysis reveals widespread non-compliance with best practices, with Bogon traffic detected across thousands of ASes. Notably, 82.69%-97.83% of CAIDA Ark vantage points observe paths containing Bogon IPs, primarily RFC1918 addresses. Additionally, 19.70% of all analyzed traceroutes include RFC1918 addresses, while smaller proportions involve RFC6598 (1.50%) and RFC3927 (0.10%) addresses. We identify more than 13,000 unique ASes transiting Bogon traffic, with only 11.64% appearing in more than half of the measurements. Cross-referencing with the Spoofer project and MANRS initiatives shows a concerning gap: 62.67% of ASes that do not filter packets with Bogon sources are marked as non-spoofable, suggesting incomplete SAV implementation. Our contributions include an assessment of network hygiene using the transiting of Bogon packets as a metric, an analysis of the main types of Bogon addresses found in traceroutes, and several proposed recommendations to address the observed gaps, enforcing the need for stronger compliance with best practices to improve global network security.