Imagine this scenario:- You have two routers in two different datacentres, both running full routes, both connected directly to each other, and both peering with Tier 1 upstream providers. Then suddenly the traffic between both routers sky rockets, but none of the other interfaces have any increase in traffic. This happened to me a few years ago. What could possibly be going on? Well, here are two clues; RFC1918 and TTL – Did you work it out yet?
Yes, after about a week of banging my head against the wall I finally decided it was time to get the protocol sniffer (Wireshark) out. As soon as I took a look at the capture between the two routers it was blindingly obvious what was going on, and I was kicking myself for not realising it and double kicking myself for not having placed the obvious safeguards in place to prevent it.
Yep a customer attached to a downstream router was sending traffic to an RFC1918 address, this was following the default route to the first router which (not having RFC1918 routes in its table) sent it to the second router via its default route, which for the same reason sent it back again. This continued until the TTL expired and the packet died.
Why was I kicking myself? Well on the Internet it’s standard practice for RFC1918 traffic to be null routed to avoid exactly these problems, and you’ve guessed it – I forgot to do this.
The Traceroute Blog 