Traffic to 5/8 and 37/8 - stats on RIPE Labs


During NANOG 51, Manish Karir gave a Lightning Talk showing how much and what kind of traffic is going to unallocated address space in 5/8 and 37/8 (among other ranges he tested).

This is now also available on RIPE Labs:

Kind Regards,
Mirjam Kuehne

Doesn't the LogMeIn Hamachi "VPN service" use Perhaps the spikes to or the space in general are from fluctuations or waves of disconnects of Hamachi users, so when they are disconnected their Hamachi traffic heads out in to the DFZ? This service is particularly popular amongst gamers who like to play LAN games over the Internet when Internet play is not possible, which could account for the diverse set of source addresses and UDP traffic (and I'm sure a long tail of other applications/uses)

I can't say I am terribly familiar with the service, but it is one of the first things that came to mind when reading the RIPE writeup.

It would be interesting to see what the distribution of source/destination ports are in the traffic headed into 5/8 or to see if they can be correlated to common games or applications that may be used over Hamachi.


First Impressions of Pollution in Two RIPE NCC Darknets | RIPE Labs

Quote from the link:

Note that in the 37/8, most traffic comes from TTLs around 100. These are Linux hosts.
The smaller humps are at ~32 (Windows) and ~250 (Solaris).

I don't agree. TTL around 100 is most probably Windows hosts with initial TTL of 128.
Everything below 64 can be Linux or FreeBSD. ~250 can be Solaris host but Cisco
IOS also set initial TTL to 255.