[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Martian Source



>
> On Thu, 24 Oct 2002, Grosswiler Roger wrote:
>
>> > Joerg Henner wrote:
>> > [...]
>> >>>ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00
>> >>>                             ^^^^^^^^^^^^^^^^^
>> This does not really seem to be a MAC-Adress..
>> http://www.susesecurity.com/faq/ -> see about in the middle for
>> Martians...
>> I found another link...how about this one?
>> >>
>> >>
>> >> *giggl* - well, i meant that HE has to find the Network-Card with
>> the specified MAC-Adress ;))))
>> >>
>> >
>> > arp
>> >
>> > Or am I missing something here?
>> >
>> > Christian
>
> ok, Roger gave you the link where to read more about.
> This is a message from kernel routing.
> Please check both lines in /var/log/messages, the first on tells you the
> (claimed) source IP and the destination IP and the interface where it
> was detected. The second one (see above) contains the MACs from where to
> where the packet should be routed. Both should be interfaces on the same
> net segment, one belongs probably to the listed interface (eth0).
>
> What does these messages tell you?
> if the (claimed) sorce IP is a valid IP in your LAN, and these messages
> are random somehow (well, I need to explain this more detailled ..),
> then it's most likely a mis-configured client, for example routing (see
> in docs mentioned above).
> If the source IP is not valid in your LAN, and you have these messages
> in a sequence (for example every 2 seconds, or increasing IP), then it's
> most likely that someone scans with spoofed IPs.
>
> What to do?
> If you don't care about the scans (probably 'cause you know that your
> firewall is prepared for it:), then you may just ignore these messages.
> If you feel that its a mis-configured client, fix it.
> You simply may switch of the logging by
>
> 	echo 0 >/proc/sys/net/ipv4/conf/<interface>/log_martians
By the way: echo 0 >/proc/sys/net/ipv4/conf/eth1/log_martians did not work
as i still get those messages...
>
> Does this answer you question?
> Achim
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here




-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here