Top AS Offenders causing RFC-1918 DNS traffic

Sean Donelan sean at donelan.com
Sun Sep 15 00:07:02 UTC 2002


On Sat, 14 Sep 2002, Peter Salus wrote:
> It seems to me that some folks may not realize who owns
> John Brown's 5 AS villains.

More information is available than just the previous chart.

http://www.caida.org/~broido/dns/rfc1918.html

 "We see that more half of the updates come from 20 ASes, which is only
 0.6% of the total number of autonomous systems. On that aggregation
 level, RFC1918 update traffic is clearly dominated by elephants. The
 largest numbers come from incumbent telecom carriers for respective
 regions, and from cable companies. Backbone ISPs produce fewer updates.
 This is not surprising since these ISPs cater mostly to medium and large
 business customers who often have fewer, but larger networks and use
 globally unique addesses. Even when these corporations use RFC1918
 space, they are more likely be properly configured. The cable and DSL
 companies charge for globally unique addresses which encourages
 customers to use RFC1918 addresses internally, thus creating more
 potential for leakage. Countries, such as China, that are relatively
 late in joining the Internet have trouble getting enough global address
 space allocated from the registries."

My analysis the same data might vary a bit. I tend to assume the
clue-level (or lack of clue) is more or less uniformly distributed.
I'm a bit suspicious of the theory that large corporations are more
likely to properly configured RFC1918.

My suspicion is the half of the updates are transiting through
providers serving individuals and small busineses without their
own ASN so the updates appear to come from the provider's ASN.  The
other half of the updates are transiting through providers serving
medium and large businesses with separate ASNs. NSPs (i.e. backbone
ISPs) probably have fewer updates from their backbone ASN because
more of their customers have a separate ASN.




More information about the NANOG mailing list