How device misconfiguration drives TCP traffic to parts of 1.0.0.0/8 -- an initial investigation

The Internet community is near the ‘bottom of the barrel’ for unallocated IPv4 address prefixes. Network 1.0.0.0/8 was allocated in January 2010 for use on the public Internet, despite being unofficially utilised in various ways for many years. Recent work has revealed this prefix to be quite ‘dirty’, with significant levels of public UDP and TCP traffic already inbound to certain parts of 1.0.0.0/8. By running a simplified honeypot on 1.1.1.0/24 and 1.2.3.0/24 for two days in March 2010 we have elicited new insights into the nature of the TCP traffic polluting these prefixes. Our honeypot replied to inbound TCP SYN packets with a SYN-ACK, thereby eliciting a variety of subsequent response packets from sources actively trying to connect into 1.1.1.0/24 or 1.2.3.0/24 space. By analyzing captured packet payloads, sequences, retransmission patterns and burst rates within such TCP flows, we find that most TCP traffic into these prefixes is caused by some form of misconfiguration rather than malice, and we discuss the possible causes for these misconfigurations.