On any given day, the internet carries countless signals that hint at how networks behave behind the scenes. Researchers from RIPE NCC and several universities found a way to capture a detailed snapshot of that activity by studying one day of data from the RIPE Atlas measurement platform. What they uncovered shows how much insight sits inside routine network checks that most people never see.
How one slice of data reveals wide activity
The team examined a single 24 hour period in February 2024 and pulled data from 50,885 measurements. These came from more than 12,000 probes and 810 anchors around the world. Together, they generated more than 1.3 billion results. The researchers selected this day after studying several months of activity to confirm that the volume of probes and measurements fit within a normal range.
RIPE Atlas has been running since 2010, and many probes first connected more than a decade ago. The study found that many long running probes have logged more than 4,800 days of uptime. Anchors have joined at a steady rate since 2018, which is when support for virtual machine anchors began. While the geographic distribution is uneven, the platform spans 178 countries and more than 4,000 autonomous systems.
When fewer measurements create most of the work
User defined measurements make up about 77 percent of the measurements on that day. The surprise came when the team looked at how much data each category produced. Anchoring measurements made up only 22.8 percent of all measurements but produced almost 70 percent of all results. Built in measurements accounted for 21.1 percent and user defined ones produced 11.4 percent.
Anchors create so much output because they run in a mesh. Every anchor sends pings, traceroutes and HTTP requests to every other anchor and to a set of probes. These run at short intervals which produced hundreds of millions of records that day.
What anchor paths say about symmetry
Because anchors run traceroutes in both directions, they offered a chance to measure how often paths are symmetric. The team compared traceroute lengths by hop count and by autonomous system count. Only 21 percent of traceroutes matched in hop count in both directions. When viewed at the AS level, about half showed matching length. The researchers note that matching length does not guarantee symmetric paths, but mismatched length rules symmetry out.
DNS checks that hint at interference
One of the built in measurements queries local resolvers for 50 popular domains. The researchers used these results to spot cases where responses appeared to be injected. They compared the returned IP addresses with the ranges seen when querying Google Public Resolver. If an address fell outside those ranges, it was treated as suspicious.
Some domains showed a pattern of manipulated responses across many probes. Two well known social media domains stood out, with injected answers on a large share of probes in some regions. Several entertainment services also showed many injected responses. In many cases the returned addresses pointed to unrelated companies or unrelated services.
The study notes that some regions also saw injected responses for search engines, blogging platforms and link redirection services. The researchers say this method can surface blocking strategies that rely on DNS response injection. They add that probe counts differ widely between regions which can influence how such patterns should be interpreted.
Unexpected IPv4 space shows up in traceroutes
The team then inspected all built in traceroutes to see whether probes observed any unallocated IPv4 space in transit. They found 1.7 million traceroutes that included addresses from the 240 slash 4 block. That block is reserved and not assigned for public use.
Two large networks generated most of these traces. Both appeared to use the unallocated space inside their environments. A smaller number of traces from other networks appeared to show the same addresses while transiting those large providers. The researchers say this suggests internal use combined with a lack of filtering for that space.
IPv6 behavior points to unusual forwarding
Some special IPv6 addresses must never appear as a source. One of them is the unspecified address, written as double colon. The team checked 95 million IPv6 traceroute results and found about 334,000 that included at least one hop with this source address.
Most of these cases came from a single probe where the address appeared as the first hop. Others appeared in traces where the hops before and after the unspecified address mapped to the same provider. This suggests that some networks forward packets that originate with a source that should not be used.
User campaigns that create long running patterns
User defined measurements made up the largest share of activity. One campaign stood out. It involved periodic pings to four content delivery servers run by a major video sharing service. These made up about 25 percent of all user defined ping measurements. Instead of using a single recurring measurement, the campaign created many one off tests, one for each hour and country. This created a long running stream of data that can be used to watch latency patterns over time.
Another set of measurements came from country level and regional traceroute meshes that the RIPE Atlas team runs. These revealed how often traffic between nearby countries travels through distant networks. In some regions the share of such paths was more than half. The study notes that this reliance on outside transit can cause higher exposure to outages or slowdowns.
The researchers say the goal of the work was to show how much insight already sits inside RIPE Atlas. They encourage others to reuse existing measurements when possible and to document new ones so the community can learn from them.