Top AS Offenders causing RFC-1918 DNS traffic
Sean Donelan
sean at donelan.com
Sun Sep 15 00:07:02 UTC 2002
On Sat, 14 Sep 2002, Peter Salus wrote:
> It seems to me that some folks may not realize who owns
> John Brown's 5 AS villains.
More information is available than just the previous chart.
http://www.caida.org/~broido/dns/rfc1918.html
"We see that more half of the updates come from 20 ASes, which is only
0.6% of the total number of autonomous systems. On that aggregation
level, RFC1918 update traffic is clearly dominated by elephants. The
largest numbers come from incumbent telecom carriers for respective
regions, and from cable companies. Backbone ISPs produce fewer updates.
This is not surprising since these ISPs cater mostly to medium and large
business customers who often have fewer, but larger networks and use
globally unique addesses. Even when these corporations use RFC1918
space, they are more likely be properly configured. The cable and DSL
companies charge for globally unique addresses which encourages
customers to use RFC1918 addresses internally, thus creating more
potential for leakage. Countries, such as China, that are relatively
late in joining the Internet have trouble getting enough global address
space allocated from the registries."
My analysis the same data might vary a bit. I tend to assume the
clue-level (or lack of clue) is more or less uniformly distributed.
I'm a bit suspicious of the theory that large corporations are more
likely to properly configured RFC1918.
My suspicion is the half of the updates are transiting through
providers serving individuals and small busineses without their
own ASN so the updates appear to come from the provider's ASN. The
other half of the updates are transiting through providers serving
medium and large businesses with separate ASNs. NSPs (i.e. backbone
ISPs) probably have fewer updates from their backbone ASN because
more of their customers have a separate ASN.
More information about the NANOG
mailing list