This is a long shot, but is there an API to reveal the list of public Gateway EUIs (or Gateway IDs) that a particular DevAddr has been received at?
I appreciate that the DevAddr is not unique and this is a non-issue for known / owned nodes (since the information is available via MQTT with an appropriate subscription)
However, when I see persistent unrecognised DevAddr hitting one’s gateways it would be really useful to know what other gateways are hearing the same broadcasts, perhaps limiting the scope of the response by specifying a metre range from particular Gateway ID and/or a timespan window.
I would imagine that this information might be readily available, since for downlinks the TTN network services need to select the most appropriate (& probably nearest) gateway to transmit to the node with the DevAddr in question.
For those on a direction finding hunt, armed with a list of public gateways receiving the same node traffic, together with the respective SNR/RSSI data, the vague location of (especially rogue) nodes could justify further analysis before breaking out the DF equipment.
It doesn’t help that most of my “rogue” nodes tend to be non-TTN, such is life.