Re: [atlas] All-Probe Traceroute + detect RFC1918 addresses

[Jeroen Massar via ripe-atlas]

> On 20210915, at 19:25, Stephen Strowes <s...@sdstrowes.co.uk> wrote:
> 
> 
> On 9/15/21 11:32 AM, Jeroen Massar via ripe-atlas wrote:
>> Hi Folks,
>> 
>> Has anybody ever run a all-probe traceroute and then to detect any RFC1918 
>> addresses in there? (though many probes will have locally some RFC1918)
> 
> 
> Since probes are running measurements to many targets already, the full 
> dataset will uncover a lot without having to run more measurements.
> 
> A quick query: 
> https://gist.github.com/sdstrowes/e9d4a3c7c03dd1aafa3198333cc39ffa
> 
> Out of ~106M IPv4 traceroutes, this finds ~6M that contain 10.0.0.0/8 in an 
> ICMP response more than 4 hops from the origin. That's not the smartest 
> approach, but it's a good ballpark of what's in the data.
> 
> It'd be reasonably easy to take that and whittle it down to a set of probes 
> and/or probe ASNs that see this. With more work it'd be possible to identify 
> ASNs on the forward path as a strong hint (asymmetric routing to one side) of 
> where these pass through.


Good one. Indeed, if one can go through the existing traceroute data, one would 
have the possibility to detect these.

Any way we could automate this into a nice warning page along with the 
probability that an ASN is the cause of passing on RFC1918 (and thus likely not 
filtering at all)?

Greets,
 Jeroen