When 1.1.1.1 launched here in Spain, it was inaccessible from several major carriers. Some had network-wide routing problems to that IP address, and some had installed CPEs that included static routes to 1.1.1.0/24 and stuff like that, probably for internal purposes.
Nothing of this strikes me as odd, let alone malicious. It's such a weird IP range, I even remember having my LAN configured as 1.0.0.0/24 at some point, because who would ever use those IP addresses?
Also reminds me of when Spanish ISPs were given IP ranges by RIPE for their customers beginning with 37.* -- those had never been used, so many network administrators had them added to their bogon list, which meant for those customers lots of web pages were inaccessible. The solution was to reboot their CPEs until they got a good ol' IP address from the ol' ranges :D
Nothing like that is an excuse. You have 10.0.0.0 for that - it's huge and you can use it for whatever you want without stepping on anyone's toes.
There are absolutely zero reasons I've seen so far (I'd be interested to hear abstruse ones? "I thought who cares" isn't one) to avoid using one of the private ranges.
10.0.0.0/8 isn't even noticeably harder to remember or type, really.
Using the 10/8 or any of the other RFC1918 had great potential to step on their customers toes. That is exactly why rightly or wrongly they used the 1.1.1.0/24 range. Hardware manufacturers generally used the range for interfaces that were local to the device and often only used on interfaces internal to the device. They knew this equipment would be deployed into environments where RFC1918 addressing would be used but they had no idea what RFC1918 address ranges, so using addressing from the RFC1918 networks meant potentially impacting their customer's data. They chose to instead use addressing which at the time they believed would not impact their customers.
APnic is not blameless here. They knew the issues with this space when it was assigned to them as a research network. For quite awhile they allowed Google to advertise the space and collect data on it's usage. I assume Google no longer was providing the infrastructure to do so and APnic saw an opportunity to have someone collect data for them for free.
Collecting data on traffic sent to this ip range is one thing but approving its use for a service available to the public knowing the accompanying issues much of the public would have accesssing it is in my opinion not responsible use of a research network.
Nothing of this strikes me as odd, let alone malicious. It's such a weird IP range, I even remember having my LAN configured as 1.0.0.0/24 at some point, because who would ever use those IP addresses?
Also reminds me of when Spanish ISPs were given IP ranges by RIPE for their customers beginning with 37.* -- those had never been used, so many network administrators had them added to their bogon list, which meant for those customers lots of web pages were inaccessible. The solution was to reboot their CPEs until they got a good ol' IP address from the ol' ranges :D