Reverse address lookup servers routinely see escaped attempts to resolve ULA and rfc1918. If you can tie the resolver to other valid data, you know inside state.

Public services see one way (no TCP return flow possible) from almost any source IP. If you can tie that from other corroborated data, the same: you see packets from "inside" all the time.

Darknet collection during final /8 run-down captured audio in UDP.

Firewalls? ACLs? Pah. Humbug.

▲

_gmax1 7 hours ago | parent [-]

"Darknet collection during final /8 run-down captured audio in UDP."

Mind elaborating on this? SIP traffic from which year?

	▲	ggm 7 hours ago \| parent \| next [-]
		2010/2011 time frame. Google and others helped sink the traffic, all written up at apnic labs. It's how 1.1.1.0/24 got held back from general release.
	▲	LtdJorge 7 hours ago \| parent \| prev [-]
		RTP I’d say