[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] Martian Source
> On Thu, 24 Oct 2002, Grosswiler Roger wrote:
>> > Joerg Henner wrote:
>> > [...]
Once again, complete:
Oct 24 00:00:23 trinity kernel: martian source 255.255.255.255 from
10.225.80.1, on dev eth1
Oct 24 00:00:23 trinity kernel: ll header:
<hw-adress of cablemodem, see below ARP
>> >>>ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00
>> >>> ^^^^^^^^^^^^^^^^^
>> This does not really seem to be a MAC-Adress..
>> http://www.susesecurity.com/faq/ -> see about in the middle for
>> I found another link...how about this one?
>> >> *giggl* - well, i meant that HE has to find the Network-Card with
>> the specified MAC-Adress ;))))
>> > arp
arp - n was a good idea...
Address HWtype HWaddress Flags Mask
126.96.36.199 ether 00:09:7B:8D:08:54 C
My Net is Class A 10.0.0.0
Subnet is 255.0.0.0
IP 188.8.131.52 -> one IP of my Cablemodem
My Server really has 2 Network-Cards: eth0 -> LAN 10.0.0.0/8
eth1 -> WAN 184.108.40.206/Cablemodem
eth0 Link encap:Ethernet HWaddr 00:04:5A:65:F8:B7
inet addr:10.0.0.2 Bcast:10.255.255.255 Mask:255.0.0.0
inet6 addr: fe80::204:5aff:fe65:f8b7/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:29371 errors:0 dropped:0 overruns:0 frame:0
TX packets:27561 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:4649259 (4.4 Mb) TX bytes:5552056 (5.2 Mb)
Interrupt:5 Base address:0x7000
eth1 Link encap:Ethernet HWaddr 00:00:E8:56:EB:D7
inet addr:220.127.116.11 Bcast:255.255.255.255 Mask:255.255.248.0
inet6 addr: fe80::200:e8ff:fe56:ebd7/10 Scope:Link
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2514331 errors:0 dropped:0 overruns:0 frame:0
TX packets:644829 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:181205855 (172.8 Mb) TX bytes:112859445 (107.6 Mb)
Interrupt:11 Base address:0x220
2 interfaces are needed for the routing between internet/lan. see ifconfig
below. i am nearly sure, that there is a misconfiguration error.
>> > Or am I missing something here?
>> > Christian
> ok, Roger gave you the link where to read more about.
> This is a message from kernel routing.
> Please check both lines in /var/log/messages, the first on tells you the
> (claimed) source IP and the destination IP and the interface where it
> was detected. The second one (see above) contains the MACs from where to
> where the packet should be routed. Both should be interfaces on the same
> net segment, one belongs probably to the listed interface (eth0).
> What does these messages tell you?
> if the (claimed) sorce IP is a valid IP in your LAN, and these messages
> are random somehow (well, I need to explain this more detailled ..),
> then it's most likely a mis-configured client, for example routing (see
> in docs mentioned above).
> If the source IP is not valid in your LAN, and you have these messages
> in a sequence (for example every 2 seconds, or increasing IP), then it's
> most likely that someone scans with spoofed IPs.
> What to do?
> If you don't care about the scans (probably 'cause you know that your
> firewall is prepared for it:), then you may just ignore these messages.
> If you feel that its a mis-configured client, fix it.
> You simply may switch of the logging by
> echo 0 >/proc/sys/net/ipv4/conf/<interface>/log_martians
i've done this as normally i trust my firewall....
> Does this answer you question?
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here