diff --git a/pkg/tools/integration/web.go b/pkg/tools/integration/web.go
index 70ca33b3c..af63defe2 100644
--- a/pkg/tools/integration/web.go
+++ b/pkg/tools/integration/web.go
@@ -2520,7 +2520,8 @@ func isObviousPrivateHost(host string, whitelist *privateHostWhitelist) bool {
 
 // isPrivateOrRestrictedIP returns true for IPs that should never be reached via web_fetch:
 // RFC 1918, loopback, link-local (incl. cloud metadata 169.254.x.x), carrier-grade NAT,
-// IPv6 unique-local (fc00::/7), 6to4 (2002::/16), and Teredo (2001:0000::/32).
+// benchmark (198.18.0.0/15), IPv6 unique-local (fc00::/7), 6to4 (2002::/16), and
+// Teredo (2001:0000::/32).
 func isPrivateOrRestrictedIP(ip net.IP) bool {
 	if ip == nil {
 		return true
@@ -2539,7 +2540,8 @@ func isPrivateOrRestrictedIP(ip net.IP) bool {
 			(ip4[0] == 172 && ip4[1] >= 16 && ip4[1] <= 31) ||
 			(ip4[0] == 192 && ip4[1] == 168) ||
 			(ip4[0] == 169 && ip4[1] == 254) ||
-			(ip4[0] == 100 && ip4[1] >= 64 && ip4[1] <= 127) {
+			(ip4[0] == 100 && ip4[1] >= 64 && ip4[1] <= 127) ||
+			(ip4[0] == 198 && ip4[1] >= 18 && ip4[1] <= 19) {
 			return true
 		}
 		return false
diff --git a/pkg/tools/integration/web_test.go b/pkg/tools/integration/web_test.go
index c06a37254..8c53f152e 100644
--- a/pkg/tools/integration/web_test.go
+++ b/pkg/tools/integration/web_test.go
@@ -966,6 +966,10 @@ func TestIsPrivateOrRestrictedIP_Table(t *testing.T) {
 		{"192.168.1.1", true, "IPv4 private class C"},
 		{"169.254.169.254", true, "link-local / cloud metadata"},
 		{"100.64.0.1", true, "carrier-grade NAT"},
+		{"198.18.0.1", true, "RFC 2544 benchmark"},
+		{"198.19.255.1", true, "RFC 2544 benchmark end"},
+		{"198.17.0.1", false, "just before 198.18.0.0/15"},
+		{"198.20.0.1", false, "just after 198.19.255.255"},
 		{"0.0.0.0", true, "unspecified"},
 		{"8.8.8.8", false, "public DNS"},
 		{"1.1.1.1", false, "public DNS"},