soft probe sending out UDP frames
Dear All, month ago I installed a soft probe. I have running ripe-atlas-common 5110, ripe-atlas-probe 5110, ripe-atlas-repo 1.5-3 on Debian 12 bookworm. These days I realised something where I need some explaination. When I look at the types of measurements then I would expect a certain amount of services that can go out. Like ping, traceroute, dns, tls, http and ntp. Now I saw that the probe sends out to about 89 different IP addresses ( IPv4 as well IPv6 ) UDP frames. I looked for a period of about a day. Each destination is probed with a specific port number. And this again and again all over the time. So each combination of destination IP and destination port is unique. The ports are high ports above 32k and as far as I can see there is never a reply. (Probably not necessary for UDP) There are a little bit more than 60 frames per hour. That's about 1 UDP frame per minute. Not to say, if I switch off the ripe-atlas.service this phenomena doesn't happen. Is there any explanation for this behaviour ? I can only imagine that these destinations are monitoring servers from ripe and my soft probe says: "hello, I am still alive ! ". ( I didn't dig into the UDP frame itself) Kind regards Hans -- The destination IP's are well distributed around the world.
Hi Hans, What you are seeing here are likely traceroute measurements, which by default use UDP with high ports to provoke routers into returning "time exceeded" packets to your probe. These measurements can have various targets, but many of them will be the built-in traceroutes to the root servers: https://atlas.ripe.net/docs/getting-started/built-in-measurements#traceroute... Regards, Chris Amin RIPE NCC On Wed, 29 Oct 2025 at 20:56, Hans Mayer via ripe-atlas <ripe-atlas@ripe.net> wrote:
Dear All,
month ago I installed a soft probe. I have running ripe-atlas-common 5110, ripe-atlas-probe 5110, ripe-atlas-repo 1.5-3 on Debian 12 bookworm. These days I realised something where I need some explaination.
When I look at the types of measurements then I would expect a certain amount of services that can go out. Like ping, traceroute, dns, tls, http and ntp. Now I saw that the probe sends out to about 89 different IP addresses ( IPv4 as well IPv6 ) UDP frames. I looked for a period of about a day. Each destination is probed with a specific port number. And this again and again all over the time. So each combination of destination IP and destination port is unique. The ports are high ports above 32k and as far as I can see there is never a reply. (Probably not necessary for UDP) There are a little bit more than 60 frames per hour. That's about 1 UDP frame per minute.
Not to say, if I switch off the ripe-atlas.service this phenomena doesn't happen.
Is there any explanation for this behaviour ? I can only imagine that these destinations are monitoring servers from ripe and my soft probe says: "hello, I am still alive ! ". ( I didn't dig into the UDP frame itself)
Kind regards Hans
--
The destination IP's are well distributed around the world.
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/ripe-atlas.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
Hi Chris, many thanks for this hint. I didn't think about this. Are are right, this could be the reason. Kind regards Hans -- On 30.10.25 09:35, Christopher Amin wrote:
Hi Hans,
What you are seeing here are likely traceroute measurements, which by default use UDP with high ports to provoke routers into returning "time exceeded" packets to your probe.
These measurements can have various targets, but many of them will be the built-in traceroutes to the root servers:
https://atlas.ripe.net/docs/getting-started/built-in-measurements#traceroute...
Regards, Chris Amin RIPE NCC
On Wed, 29 Oct 2025 at 20:56, Hans Mayer via ripe-atlas <ripe-atlas@ripe.net> wrote:
Dear All,
month ago I installed a soft probe. I have running ripe-atlas-common 5110, ripe-atlas-probe 5110, ripe-atlas-repo 1.5-3 on Debian 12 bookworm. These days I realised something where I need some explaination.
When I look at the types of measurements then I would expect a certain amount of services that can go out. Like ping, traceroute, dns, tls, http and ntp. Now I saw that the probe sends out to about 89 different IP addresses ( IPv4 as well IPv6 ) UDP frames. I looked for a period of about a day. Each destination is probed with a specific port number. And this again and again all over the time. So each combination of destination IP and destination port is unique. The ports are high ports above 32k and as far as I can see there is never a reply. (Probably not necessary for UDP) There are a little bit more than 60 frames per hour. That's about 1 UDP frame per minute.
Not to say, if I switch off the ripe-atlas.service this phenomena doesn't happen.
Is there any explanation for this behaviour ? I can only imagine that these destinations are monitoring servers from ripe and my soft probe says: "hello, I am still alive ! ". ( I didn't dig into the UDP frame itself)
Kind regards Hans
--
The destination IP's are well distributed around the world.
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/ripe-atlas.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
participants (2)
-
Christopher Amin -
Hans Mayer