[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Martian Source



>
> On Thu, 24 Oct 2002, Grosswiler Roger wrote:
>
>> > Joerg Henner wrote:
>> > [...]
Once again, complete:
Oct 24 00:00:23 trinity kernel: martian source 255.255.255.255 from
10.225.80.1, on dev eth1
Oct 24 00:00:23 trinity kernel: ll header:
ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00
                  <hw-adress of cablemodem, see below ARP
>> >>>ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00
>> >>>                             ^^^^^^^^^^^^^^^^^
>> This does not really seem to be a MAC-Adress..
>> http://www.susesecurity.com/faq/ -> see about in the middle for
>> Martians...
>> I found another link...how about this one?
>> >>
>> >>
>> >> *giggl* - well, i meant that HE has to find the Network-Card with
>> the specified MAC-Adress ;))))
>> >>
>> >
>> > arp
arp - n was a good idea...
Address                  HWtype  HWaddress           Flags Mask           
Iface
217.162.200.1            ether   00:09:7B:8D:08:54   C                    
eth1

My Net is Class A 10.0.0.0
Subnet is 255.0.0.0
IP 217.162.200.80 -> one IP of my  Cablemodem
My Server really has 2 Network-Cards: eth0 -> LAN 10.0.0.0/8
                                      eth1 -> WAN 217.162.200.80/Cablemodem
eth0      Link encap:Ethernet  HWaddr 00:04:5A:65:F8:B7
          inet addr:10.0.0.2  Bcast:10.255.255.255  Mask:255.0.0.0
          inet6 addr: fe80::204:5aff:fe65:f8b7/10 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:29371 errors:0 dropped:0 overruns:0 frame:0
          TX packets:27561 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:4649259 (4.4 Mb)  TX bytes:5552056 (5.2 Mb)
          Interrupt:5 Base address:0x7000

eth1      Link encap:Ethernet  HWaddr 00:00:E8:56:EB:D7
          inet addr:217.162.200.80  Bcast:255.255.255.255  Mask:255.255.248.0
          inet6 addr: fe80::200:e8ff:fe56:ebd7/10 Scope:Link
          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2514331 errors:0 dropped:0 overruns:0 frame:0
          TX packets:644829 errors:0 dropped:0 overruns:0 carrier:0
          collisions:428 txqueuelen:100
          RX bytes:181205855 (172.8 Mb)  TX bytes:112859445 (107.6 Mb)
          Interrupt:11 Base address:0x220


2 interfaces are needed for the routing between internet/lan. see ifconfig
below. i am nearly sure, that there is a misconfiguration error.


>> >
>> > Or am I missing something here?
>> >
>> > Christian
>
> ok, Roger gave you the link where to read more about.
> This is a message from kernel routing.
> Please check both lines in /var/log/messages, the first on tells you the
> (claimed) source IP and the destination IP and the interface where it
> was detected. The second one (see above) contains the MACs from where to
> where the packet should be routed. Both should be interfaces on the same
> net segment, one belongs probably to the listed interface (eth0).
>
> What does these messages tell you?
> if the (claimed) sorce IP is a valid IP in your LAN, and these messages
> are random somehow (well, I need to explain this more detailled ..),
> then it's most likely a mis-configured client, for example routing (see
> in docs mentioned above).
> If the source IP is not valid in your LAN, and you have these messages
> in a sequence (for example every 2 seconds, or increasing IP), then it's
> most likely that someone scans with spoofed IPs.
>
> What to do?
> If you don't care about the scans (probably 'cause you know that your
> firewall is prepared for it:), then you may just ignore these messages.
> If you feel that its a mis-configured client, fix it.
> You simply may switch of the logging by
>
> 	echo 0 >/proc/sys/net/ipv4/conf/<interface>/log_martians
i've done this as normally i trust my firewall....
>
> Does this answer you question?
> Achim
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here




-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here