Radu Anghel (TU Delft), Carlos Gañán (ICANN), Qasim Lone (RIPE NCC), Matthew Luckie (CAIDA), Yury Zhauniarovich (TU Delft)
Spoofed traffic remains a major network hygiene concern, as it enables Distributed Denial-of-Service (DDoS) attacks by obscuring attack origins and hindering forensic analysis. A key indicator of poor hygiene is the presence of Bogon traffic— packets carrying invalid or non-routable source addresses—in the public Internet, arising from misconfigurations or insufficient filtering. Despite long-standing Source Address Validation (SAV) recommendations such as BCP 38 and BCP 84, Bogon filtering remains inconsistently deployed. In this work, we analyze eight years (2017–2024) of traceroute measurements from the CAIDA Ark platform, enriched with historical BGP data from RIPE RIS and RouteViews, to quantify the prevalence and characteristics of Bogon addresses in the data plane. We observe widespread noncompliance with best practices: between 82.69% and 97.83% of Ark vantage points encounter traceroute paths containing Bogon IPs, predominantly RFC1918 addresses. Overall, 21.11% of traceroutes include RFC1918 addresses, with smaller fractions involving RFC6598 (1.68%) and RFC3927 (0.08%). We identify over 15,500 Autonomous Systems (ASes) that transit Bogon traffic, although only 11.88% do so in more than half of the measurements. Cross-referencing with the Spoofer project and MANRS reveals a significant gap between control- and data-plane assurances: 52.71% of ASes forwarding Bogon-sourced packets are classified as non-spoofable, indicating incomplete or ineffective SAV deployment.