Aliens Among Us: Observing Private or Reserved IPs on the Public Internet
Radu Anghel
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · Network Security
IP address spoofing remains a fundamental enabler of volumetric DDoS attacks, with nearly half of layer 3/4 attacks involving spoofed packets. While Source Address Validation (SAV) can solve this problem, deployment remains incomplete. This talk introduces a novel passive measurement methodology using **CAIDA's Ark traceroute dataset** to detect **bogon packets** -- packets with private, reserved, or unallocated IP source addresses -- traversing the public internet. Analyzing **eight years of data (2017-2024)** covering **11 million traceroutes**, the researchers find that **20% of all visible autonomous systems** have exhibited at least one bogon, the number is slightly increasing over time, and even networks that have pledged to implement anti-spoofing best practices through **MANRS** still show bogon traffic.
AI review
A solid internet measurement study that quantifies bogon prevalence across 8 years of CAIDA Ark data. The 20% AS coverage finding and MANRS compliance gap are useful data points. However, this is network measurement research, not security research -- no new attacks, no exploitation, and the connection between bogon presence and actual spoofing capability is acknowledged as unvalidated. The observation that attackers could use this data to select spoofing-friendly networks is interesting but theoretical.