6.13.2011

Adventures in Internet Pollution

One of my coworkers noticed a large and sudden increase in unallocated bogons on the Internet. This normally indicates a new set of IP allocations have been advertised in BGP before the regional registries have had time to update, and, indeed, such was the case here. However, something was different--immensely different: among the blocks being advertised was 191.0.0.0/8, LACNIC's last IPv4 block.

Taken from http://bgp.he.net/AS237

What my coworker saw was this:

Bogon Prefixes
#PrefixType
1131.0.0.0/16unallocated
2131.72.0.0/16unallocated
3131.100.0.0/16unallocated
4131.108.0.0/16unallocated
5131.161.0.0/16unallocated
6131.221.0.0/16unallocated
7131.255.0.0/16unallocated
8132.157.0.0/16unallocated
9132.184.0.0/16unallocated
10132.191.0.0/16unallocated
11132.251.0.0/16unallocated
12132.255.0.0/16unallocated
13138.0.0.0/16unallocated
14138.36.0.0/16unallocated
15138.59.0.0/16unallocated
16138.94.0.0/16unallocated
17138.97.0.0/16unallocated
18138.99.0.0/16unallocated
19138.117.0.0/16unallocated
20138.118.0.0/16unallocated
21138.121.0.0/16unallocated
22138.122.0.0/16unallocated
23138.185.0.0/16unallocated
24138.186.0.0/16unallocated
25138.204.0.0/16unallocated
26138.219.0.0/16unallocated
27138.255.0.0/16unallocated
28143.0.0.0/16unallocated
29143.137.0.0/16unallocated
30143.202.0.0/16unallocated
31143.208.0.0/16unallocated
32143.255.0.0/16unallocated
33148.0.0.0/16unallocated
34148.101.0.0/16unallocated
35148.102.0.0/16unallocated
36148.103.0.0/16unallocated
37148.255.0.0/16unallocated
38152.0.0.0/16unallocated
39152.156.0.0/16unallocated
40152.166.0.0/16unallocated
41152.167.0.0/16unallocated
42152.168.0.0/16unallocated
43152.169.0.0/16unallocated
44152.170.0.0/16unallocated
45152.171.0.0/16unallocated
Bogon Prefixes
#PrefixType
46152.172.0.0/16unallocated
47152.173.0.0/16unallocated
48152.174.0.0/16unallocated
49152.175.0.0/16unallocated
50152.200.0.0/16unallocated
51152.201.0.0/16unallocated
52152.202.0.0/16unallocated
53152.203.0.0/16unallocated
54152.204.0.0/16unallocated
55152.205.0.0/16unallocated
56152.206.0.0/16unallocated
57152.207.0.0/16unallocated
58152.230.0.0/16unallocated
59152.231.0.0/16unallocated
60152.232.0.0/16unallocated
61152.233.0.0/16unallocated
62152.234.0.0/16unallocated
63152.235.0.0/16unallocated
64152.236.0.0/16unallocated
65152.237.0.0/16unallocated
66152.238.0.0/16unallocated
67152.239.0.0/16unallocated
68152.240.0.0/16unallocated
69152.241.0.0/16unallocated
70152.242.0.0/16unallocated
71152.243.0.0/16unallocated
72152.244.0.0/16unallocated
73152.245.0.0/16unallocated
74152.246.0.0/16unallocated
75152.247.0.0/16unallocated
76152.248.0.0/16unallocated
77152.249.0.0/16unallocated
78152.250.0.0/16unallocated
79152.251.0.0/16unallocated
80152.252.0.0/16unallocated
81152.253.0.0/16unallocated
82152.254.0.0/16unallocated
83152.255.0.0/16unallocated
84161.10.0.0/16unallocated
85161.18.0.0/16unallocated
86161.22.0.0/16unallocated
87161.56.0.0/16unallocated
88161.138.0.0/16unallocated
89161.140.0.0/16unallocated
90161.212.0.0/16unallocated
Bogon Prefixes
#PrefixType
91161.234.0.0/16unallocated
92161.255.0.0/16unallocated
93167.0.0.0/16unallocated
94167.56.0.0/16unallocated
95167.57.0.0/16unallocated
96167.58.0.0/16unallocated
97167.59.0.0/16unallocated
98167.60.0.0/16unallocated
99167.61.0.0/16unallocated
100167.62.0.0/16unallocated
101167.63.0.0/16unallocated
102167.108.0.0/16unallocated
103167.116.0.0/16unallocated
104167.249.0.0/16unallocated
105167.250.0.0/16unallocated
106168.0.0.0/16unallocated
107168.90.0.0/16unallocated
108168.121.0.0/16unallocated
109168.181.0.0/16unallocated
110168.194.0.0/16unallocated
111168.195.0.0/16unallocated
112168.196.0.0/16unallocated
113168.197.0.0/16unallocated
114168.205.0.0/16unallocated
115168.227.0.0/16unallocated
116168.228.0.0/16unallocated
117168.232.0.0/16unallocated
118170.0.0.0/16unallocated
119170.78.0.0/16unallocated
120170.79.0.0/16unallocated
121170.80.0.0/16unallocated
122170.81.0.0/16unallocated
123170.82.0.0/16unallocated
124170.83.0.0/16unallocated
125170.84.0.0/16unallocated
126170.150.0.0/16unallocated
127170.231.0.0/16unallocated
128170.233.0.0/16unallocated
129170.238.0.0/16unallocated
130170.239.0.0/16unallocated
131170.244.0.0/16unallocated
132170.245.0.0/16unallocated
133170.246.0.0/16unallocated
134170.247.0.0/16unallocated
135170.254.0.0/16unallocated
136191.0.0.0/8unallocated

All of these blocks belong to LACNIC, and, until very recently, they were unallocated. But who could possibly be allowed to acquire 135 slash-sixteens and a slash-eight at a time like this? All of these, it turns out, are being originated by AS237, otherwise known as Merit Network. Sound familiar? Here, then, we have the owners of the world's largest routing registry originating very nearly every (v4) block LACNIC have left, at the same time. What did they plan to do with all those IPs? I decided the easiest way to find out would be to simply ask Merit.

Querying the RADb produced the following:

route:      191.0.0.0/8
descr:      Merit Network Inc.
            1000 Oakbrook Drive, Suite 200
            Ann Arbor
            MI 48104, USA
origin:     AS237
mnt-by:     MAINT-AS237
remarks:    This announcement is part of an LACNIC approved experiment.
            For additional information please send email to mkarir@merit.edu
changed:    mkarir@merit.edu 20110608
source:     RADB

So LACNIC approved the release of nearly a slash-eight and a half to Merit for... an experiment? Yes, that's exactly right--and it's an important one, at that.

Last year, Merit and the University of Michigan conducted a (presumably) similar experiment with APNIC for 1.0.0.0/8. By announcing the unallocated block on the Internet and observing the resulting traffic, they were able to check the block for "pollution": unexpected (and unwanted) traffic bound for the addresses within. Though you might not think there would be much demand for a slash-eight that had never been used before, the assembled team found several kinds of errant traffic bound for the block, of which audio traffic composed the overwhelming majority!

Be sure to read the full presentation; it really helps you appreciate all that goes into keeping the web afloat.

2 comments:

  1. dish internet administration, or remote broadband specialist co-ops benefit your territory.Verizon Fios Double Play

    ReplyDelete