[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Martian Source



On Thu, 24 Oct 2002 10:11:57 +0200 (CEST)
"Grosswiler Roger" <roger@xxxxxxxxxxx> wrote:

> >
> > On Thu, 24 Oct 2002, Grosswiler Roger wrote:
> >
> >> > Joerg Henner wrote:
> >> > [...]
> >> >>>ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00
> >> >>>                             ^^^^^^^^^^^^^^^^^
> >> This does not really seem to be a MAC-Adress..
> >> http://www.susesecurity.com/faq/ -> see about in the middle for
> >> Martians...
> >> I found another link...how about this one?
> >> >>
> >> >>
> >> >> *giggl* - well, i meant that HE has to find the Network-Card with
> >> the specified MAC-Adress ;))))
> >> >>
> >> >
> >> > arp
> >> >
> >> > Or am I missing something here?
> >> >
> >> > Christian
> >
> > ok, Roger gave you the link where to read more about.
> > This is a message from kernel routing.
> > Please check both lines in /var/log/messages, the first on tells you the
> > (claimed) source IP and the destination IP and the interface where it
> > was detected. The second one (see above) contains the MACs from where to
> > where the packet should be routed. Both should be interfaces on the same
> > net segment, one belongs probably to the listed interface (eth0).
> >
> > What does these messages tell you?
> > if the (claimed) sorce IP is a valid IP in your LAN, and these messages
> > are random somehow (well, I need to explain this more detailled ..),
> > then it's most likely a mis-configured client, for example routing (see
> > in docs mentioned above).
> > If the source IP is not valid in your LAN, and you have these messages
> > in a sequence (for example every 2 seconds, or increasing IP), then it's
> > most likely that someone scans with spoofed IPs.
> >
> > What to do?
> > If you don't care about the scans (probably 'cause you know that your
> > firewall is prepared for it:), then you may just ignore these messages.
> > If you feel that its a mis-configured client, fix it.
> > You simply may switch of the logging by
> >
> > 	echo 0 >/proc/sys/net/ipv4/conf/<interface>/log_martians
> By the way: echo 0 >/proc/sys/net/ipv4/conf/eth1/log_martians did not work
> as i still get those messages...

Please try

echo 0 >/proc/sys/net/ipv4/conf/eth1/log_martians
echo 0 >/proc/sys/net/ipv4/conf/all/log_martians
echo 0 >/proc/sys/net/ipv4/conf/default/log_martians

> >
> > Does this answer you question?
> > Achim
> >
> >
> > --
> > Check the headers for your unsubscription address
> > For additional commands, e-mail: suse-security-help@xxxxxxxx
> > Security-related bug reports go to security@xxxxxxx, not here
> 
> 
> 
> 
> -- 
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
> 


-- 
------------------------  /"\
Andreas.Tirok@xxxxxxxxx   \ / ASCII Ribbon Campaign
fon: +49 30 549932-0       X  Against HTML Mail
fax: +49 30 549932-21     / \ 

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here