[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Martian Source

On Thu, 24 Oct 2002, Grosswiler Roger wrote:

> > Joerg Henner wrote:
> > [...]
> >>>ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00
> >>>                             ^^^^^^^^^^^^^^^^^
> This does not really seem to be a MAC-Adress..
> http://www.susesecurity.com/faq/ -> see about in the middle for
> Martians...
> I found another link...how about this one?
> >>
> >>
> >> *giggl* - well, i meant that HE has to find the Network-Card with the
> >> specified MAC-Adress ;))))
> >>
> >
> > arp
> >
> > Or am I missing something here?
> >
> > Christian

ok, Roger gave you the link where to read more about.
This is a message from kernel routing.
Please check both lines in /var/log/messages, the first on tells you the
(claimed) source IP and the destination IP and the interface where it
was detected. The second one (see above) contains the MACs from where to
where the packet should be routed. Both should be interfaces on the same net
segment, one belongs probably to the listed interface (eth0).

What does these messages tell you?
if the (claimed) sorce IP is a valid IP in your LAN, and these messages
are random somehow (well, I need to explain this more detailled ..), then
it's most likely a mis-configured client, for example routing (see in docs
mentioned above).
If the source IP is not valid in your LAN, and you have these messages in
a sequence (for example every 2 seconds, or increasing IP), then it's
most likely that someone scans with spoofed IPs.

What to do?
If you don't care about the scans (probably 'cause you know that your
firewall is prepared for it:), then you may just ignore these messages.
If you feel that its a mis-configured client, fix it.
You simply may switch of the logging by

	echo 0 >/proc/sys/net/ipv4/conf/<interface>/log_martians

Does this answer you question?

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here