that's really interesting. i have a non-ccie question, though:
if it's sending packets on a dance through a virtual network, why does that have to use public addresses? would using a private network (eg 10.0.0.0) not have worked? why not? (and is it odd for people to still have unused /24 lying around?)
Main reason: You need to have reverse DNS that resolves each IP address to the appropriate Star Wars line. You don't have control over the reverse DNS for IP space you don't own (such as 10.0.0.0/8). Without the reverse DNS you'd just see IP addresses in the traceroute output, and no "It.is.a.period.of.civil.war."
Secondary reason: To prevent IP address spoofing, many routers have "reverse path filtering," which drops packets with source IP addresses that shouldn't be coming from the interface they're coming from. This would put a stop to the ICMP TTL exceeded messages and you'd just see stars in the traceroute output.
There is a surprising amount of unused IP address space out there, which can happen when, for example, an organization has a large allocation and they're not using all of it. This is kind of unfortunate but there's not really a practical way to take small amounts of unused address space and make use of it elsewhere on the Internet.
But the packets aren't addressed to the intermediate routers. All of the packets are addressed to the endpoint, with a TTL value too low to make it there. The intermediate routers just reply with an ICMP Time Exceeded packet.
The real problem is that an ICMP Time Exceeded packet coming from behind NAT would presumably either be blocked by the NAT or else have its address changed to the routable public interface of the NAT device. If the packets are dropped, that would obviously be a problem. If the IP address were changed to that of the NAT box, then all of the reverse DNS lookups would have the same result.
By the way, some traceroute implementations use ICMP Echo Request packets instead of UDP.
But you don't really need a route TO it? Would it technically work to start sending replies back with private IP addresses in the middle of the traceroute? Or do most ISPs filter those even in the replies?
Edit: By the way, that wouldn't have worked for this hack anyways, since you wouldn't be able to control reverse DNS for the private IP addresses.
if it's sending packets on a dance through a virtual network, why does that have to use public addresses? would using a private network (eg 10.0.0.0) not have worked? why not? (and is it odd for people to still have unused /24 lying around?)