Martians Among Us: Observing Private or Reserved IPs on the Public Internet
Radu Anghel, Qasim Lone, Matthew Luckie, Carlos Gañán, Yury Zhauniarovich
TL;DR
The paper addresses the persistent problem of IP spoofing by quantifying Bogon and Martian address usage on the public Internet over seven years using CAIDA Ark traceroutes, augmented with historical BGP data from RIPE RIS and RouteViews. It foregrounds Source Address Validation (SAV) as essential for network hygiene and evaluates SAV deployment through cross-dataset comparisons with CAIDA Spoofer and MANRS. Key findings include that a large majority of Ark vantage points observe Bogon-containing paths (over 80%), a substantial share of traceroutes carry RFC1918 and other Bogon types, and hundreds of ASes consistently transit Bogons, with many remaining non-spoofable according to Spoofer data. The work also reveals regional and organizational patterns, highlights gaps between operator commitments (MANRS) and actual Bogon filtering, and offers recommendations to strengthen SAV deployment and collaboration for improved global Internet security.
Abstract
Spoofed traffic has been identified as one of the main issues of concern for network hygiene nowadays, as it facilitates Distributed Denial-of-Service (DDoS) attacks by hiding their origin and complicating forensic investigations. Some indicators of poor network hygiene are packets with Bogon or Martian source addresses representing either misconfigurations or spoofed packets. Despite the development of Source Address Validation (SAV) techniques and guidelines such as BCP 38 and BCP 84, Bogons are often overlooked in the filtering practices of network operators. This study uses traceroute measurements from the CAIDA Ark dataset, enriched with historical BGP routing information from RIPE RIS and RouteViews, to investigate the prevalence of Bogon addresses over seven years (2017-2023). Our analysis reveals widespread non-compliance with best practices, with Bogon traffic detected across thousands of ASes. Notably, 82.69%-97.83% of CAIDA Ark vantage points observe paths containing Bogon IPs, primarily RFC1918 addresses. Additionally, 19.70% of all analyzed traceroutes include RFC1918 addresses, while smaller proportions involve RFC6598 (1.50%) and RFC3927 (0.10%) addresses. We identify more than 13,000 unique ASes transiting Bogon traffic, with only 11.64% appearing in more than half of the measurements. Cross-referencing with the Spoofer project and MANRS initiatives shows a concerning gap: 62.67% of ASes that do not filter packets with Bogon sources are marked as non-spoofable, suggesting incomplete SAV implementation. Our contributions include an assessment of network hygiene using the transiting of Bogon packets as a metric, an analysis of the main types of Bogon addresses found in traceroutes, and several proposed recommendations to address the observed gaps, enforcing the need for stronger compliance with best practices to improve global network security.