Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
syslog reports martian packets
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 594
Location: Germany

PostPosted: Fri Sep 17, 2010 7:48 pm    Post subject: syslog reports martian packets Reply with quote

Hey there,
since a few days, my syslog reports many warnings like the following:
Code:
[2010-09-13 12:26:48] warning kern kernel [1025570.571556] martian source 10.0.0.1 from 10.0.0.2, on dev eth1
[2010-09-13 18:59:28] warning kern kernel [1049131.048421] martian source SOME EXTERNAL IP from 10.0.0.2, on dev eth1
[2010-09-15 09:08:51] warning kern kernel [1186494.285116] martian source 10.0.0.2 from 10.0.0.2, on dev eth0
[2010-09-17 18:10:35] warning kern kernel [1391797.842075] martian source MY EXTERNAL IP from 10.0.0.2, on dev eth0


My router 10.0.0.1 has two interfaces:
eth0 => connection to my ISP, address is fetched via DHCP
eth1 => LAN

10.0.0.2 is one of my clients.

This problem occurs since I changed my ISP (from DSL via PPPoE to cable) - now I "dial in" by fetching my external IP-address via DHCP.
I suppose that this is no serious problem, but something seems to be wrong with my network-configuration, so I'd like to fix that.

/etc/conf.d/net
Code:
config_eth0=( "dhcp" )
config_eth1=( "10.0.0.1/24" )
routes_eth1=( "default via EXTERNAL IP" )
dhcp_eth0="release nodns"
dhcp_eth1="release nodns"

The third line should be wrong, as far as I know the gateway should be in the same net as the interface itself - but I don't know how to set the external IP address statically.

Any ideas or hints would be really appreciated.

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)


Last edited by Jimini on Sat Sep 25, 2010 6:53 am; edited 2 times in total
Back to top
View user's profile Send private message
DONAHUE
Watchman
Watchman


Joined: 09 Dec 2006
Posts: 7564
Location: Goose Creek SC

PostPosted: Fri Sep 17, 2010 10:58 pm    Post subject: Reply with quote

home-router-howto says that /etc/conf.d/net needs only

Quote:
config_eth0=( "dhcp" )# to wan
config_eth1=( "10.0.0.1 broadcast 10.0.0.255 netmask 255.255.255.0" )#to lan


the gateway for 10.0.0.0 is 10.0.0.1 so routes_eth1=( "default via EXTERNAL IP" ) seems wrong
eth1 is not using dhcp so dhcp_eth1="release nodns" seems wrong
dhcp_eth1="release nodns" just seems wrong
Back to top
View user's profile Send private message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 594
Location: Germany

PostPosted: Tue Sep 21, 2010 5:06 am    Post subject: Reply with quote

Of course this entry in /etc/conf.d/net was wrong, just as you said, so I corrected it.

I also changed my iptables-script:
Code:
iptables -A INPUT -i $lan -p udp --dport 67 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o $wan -d SOME_EXTERNAL_IP -p udp --dport 67 -m state --state NEW -j ACCEPT


I assume, that - the upper entry was missing - this script was responsible for the martian packets. I came to this conclusion by generate very detailed logging output with iptables for possible spoofed packets:
Code:
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:5d:aa:87:ae:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:5d:aa:87:ae:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:20:cf:30:9b:3a:f8:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:20:cf:30:9b:3a:f8:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308


Now everything seems to work fine, since 2 days no log contains errors or warnings about martian / spoofed packets.

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
DONAHUE
Watchman
Watchman


Joined: 09 Dec 2006
Posts: 7564
Location: Goose Creek SC

PostPosted: Tue Sep 21, 2010 5:48 am    Post subject: Reply with quote

well done.
Back to top
View user's profile Send private message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 594
Location: Germany

PostPosted: Tue Sep 21, 2010 6:53 am    Post subject: Reply with quote

Thanks for your effort though :)

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 594
Location: Germany

PostPosted: Sat Sep 25, 2010 6:53 am    Post subject: Reply with quote

Damn. Again, my logfile reports martian packets:
Code:
[2010-09-25 01:06:39] warning kern kernel [2021562.127400] martian source MY_EXTERNAL_IP from 10.0.0.2, on dev eth0
[2010-09-25 01:06:39] warning kern kernel [2021562.127400] martian source MY_EXTERNAL_IP from 10.0.0.2, on dev eth0
[2010-09-25 01:06:39] warning kern kernel [2021562.127406] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00
[2010-09-25 01:06:39] warning kern kernel [2021562.127406] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00
[2010-09-25 01:08:26] warning kern kernel [2021668.953334] martian source MY_EXTERNAL_IP from 10.0.0.2, on dev eth0
[2010-09-25 01:08:26] warning kern kernel [2021668.953334] martian source MY_EXTERNAL_IP from 10.0.0.2, on dev eth0
[2010-09-25 01:08:26] warning kern kernel [2021668.953340] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00
[2010-09-25 01:08:26] warning kern kernel [2021668.953340] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00
[2010-09-25 01:10:26] warning kern kernel [2021788.957795] martian source MY_EXTERNAL_IP from 10.0.0.2, on dev eth0
[2010-09-25 01:10:26] warning kern kernel [2021788.957795] martian source MY_EXTERNAL_IP from 10.0.0.2, on dev eth0
[2010-09-25 01:10:26] warning kern kernel [2021788.957801] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00
[2010-09-25 01:10:26] warning kern kernel [2021788.957801] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00
[2010-09-25 01:12:26] warning kern kernel [2021908.960198] martian source MY_EXTERNAL_IP from 10.0.0.2, on dev eth0
[2010-09-25 01:12:26] warning kern kernel [2021908.960198] martian source MY_EXTERNAL_IP from 10.0.0.2, on dev eth0
[2010-09-25 01:12:26] warning kern kernel [2021908.960205] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00
[2010-09-25 01:12:26] warning kern kernel [2021908.960205] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00
[2010-09-25 03:41:53] warning kern kernel [2030876.265789] martian source 10.0.0.2 from 10.0.0.1, on dev eth0
[2010-09-25 03:41:53] warning kern kernel [2030876.265789] martian source 10.0.0.2 from 10.0.0.1, on dev eth0
[2010-09-25 03:41:53] warning kern kernel [2030876.265795] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00
[2010-09-25 03:41:53] warning kern kernel [2030876.265795] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00


As far as I know, the ll header contains the destination MAC address and the source MAC address. But in my network I don't have a NIC with one of these addresses. I figured out, that these packets must be Bittorrent-related traffic:
Code:
IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=118.233.40.159 DST=MY_EXTERNAL_IP LEN=126 TOS=0x00 PREC=0x00 TTL=109 ID=15541 PROTO=UDP SPT=12716 DPT=51413 LEN=106
IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=60.8.64.78 DST=MY_EXTERNAL_IP LEN=90 TOS=0x00 PREC=0x00 TTL=108 ID=53745 PROTO=UDP SPT=41555 DPT=51413 LEN=70
IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=123.5.243.43 DST=MY_EXTERNAL_IP LEN=126 TOS=0x00 PREC=0x00 TTL=110 ID=19309 PROTO=UDP SPT=1054 DPT=51413 LEN=106
IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=114.37.17.121 DST=MY_EXTERNAL_IP LEN=326 TOS=0x00 PREC=0x00 TTL=99 ID=12999 PROTO=UDP SPT=7777 DPT=51413 LEN=306


But I don't understand, why the header of these four packets is the same, although the source is different. Who can explain that?

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 594
Location: Germany

PostPosted: Tue Sep 28, 2010 3:28 am    Post subject: Reply with quote

Perhaps I found the reason for the martian packets: during the last days, iptables blocked input from various IP addresses - but the MAC address was always the same:
Code:
[2010-09-28 00:01:50] notice [2276873.595094] [FW] DROPPED INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=217.202.147.157 DST=MY_EXTERNAL_IP LEN=40 TOS=0x00 PREC=0x00 TTL=46 ID=7145 DF PROTO=TCP SPT=43429 DPT=40098 WINDOW=0 RES=0x00 ACK RST URGP=0
[2010-09-28 00:02:38] notice [2276921.570109] [FW] DROPPED INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=59.98.208.27 DST=MY_EXTERNAL_IP LEN=40 TOS=0x00 PREC=0x20 TTL=45 ID=4355 PROTO=TCP SPT=51413 DPT=56728 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
[2010-09-28 00:11:08] notice [2277430.993225] [FW] DROPPED INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=151.53.234.201 DST=MY_EXTERNAL_IP LEN=64 TOS=0x00 PREC=0x00 TTL=116 ID=55318 DF PROTO=TCP SPT=14433 DPT=48344 WINDOW=65535 RES=0x00 ACK SYN URGP=0
[2010-09-28 00:11:11] notice [2277433.963360] [FW] DROPPED INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=151.53.234.201 DST=MY_EXTERNAL_IP LEN=64 TOS=0x00 PREC=0x00 TTL=116 ID=55474 DF PROTO=TCP SPT=14433 DPT=48344 WINDOW=65535 RES=0x00 ACK SYN URGP=0
[2010-09-28 00:11:17] notice [2277439.974015] [FW] DROPPED INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=151.53.234.201 DST=MY_EXTERNAL_IP LEN=64 TOS=0x00 PREC=0x00 TTL=116 ID=55840 DF PROTO=TCP SPT=14433 DPT=48344 WINDOW=65535 RES=0x00 ACK SYN URGP=0
[2010-09-28 00:11:19] notice [2277442.573717] [FW] DROPPED INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=122.177.145.30 DST=MY_EXTERNAL_IP LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=46204 PROTO=TCP SPT=26098 DPT=34580 WINDOW=0 RES=0x00 ACK RST URGP=0


What is going on there?

Edit: I'm blocking all traffic from 00:01:5C:31:19:40 now, we'll see what happens.

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
DONAHUE
Watchman
Watchman


Joined: 09 Dec 2006
Posts: 7564
Location: Goose Creek SC

PostPosted: Tue Sep 28, 2010 3:58 am    Post subject: Reply with quote

From the RFC:

5.3.7 Martian Address Filtering

An IP source address is invalid if it is a special IP address, as
defined in 4.2.2.11 or 5.3.7, or is not a unicast address.

An IP destination address is invalid if it is among those defined as
illegal destinations in 4.2.3.1, or is a Class E address (except
255.255.255.255).

A router SHOULD NOT forward any packet that has an invalid IP source
address or a source address on network 0. A router SHOULD NOT
forward, except over a loopback interface, any packet that has a
source address on network 127. A router MAY have a switch that
allows the network manager to disable these checks. If such a switch
is provided, it MUST default to performing the checks.

A router SHOULD NOT forward any packet that has an invalid IP
destination address or a destination address on network 0. A router
SHOULD NOT forward, except over a loopback interface, any packet that
has a destination address on network 127. A router MAY have a switch
that allows the network manager to disable these checks. If such a
switch is provided, it MUST default to performing the checks.

If a router discards a packet because of these rules, it SHOULD log
at least the IP source address, the IP destination address, and, if

the problem was with the source address, the physical interface on
which the packet was received and the Link Layer address of the host
or router from which the packet was received.
Back to top
View user's profile Send private message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 594
Location: Germany

PostPosted: Wed Sep 29, 2010 5:43 am    Post subject: Reply with quote

I hope I get you right - I've been blocking these packets for some time now, I had added some "anti spoofing rules":
Code:
iptables -A INPUT ! -i $lan -s $intern -j DROP
iptables -A FORWARD ! -i $lan -s $intern -j DROP
iptables -A INPUT ! -i lo -s 127.0.0.1 -j DROP
iptables -A FORWARD ! -i lo -s 127.0.0,1 -j DROP
iptables -A INPUT ! -i $wan -s $extip -j DROP
iptables -A FORWARD ! -i $wan -s $extip -j DROP

I've also been logging this traffic, before it was dropped (I hope my procedure was RFC-compliant?).

I found out, that I have made a mistake with the involved MAC addresses - the target address is eth0 on my router (the interface which is connected to the outside). But what I still don't understand is the fact, that the source address seems to be always the same:
Code:
IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=91.65.198.7 DST=MY_EXTERNAL_IP LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=21140 DF PROTO=TCP SPT=4067 DPT=2967 WINDOW=64240 RES=0x00 SYN URGP=0
IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=91.65.8.22 DST=MY_EXTERNAL_IP LEN=64 TOS=0x00 PREC=0x00 TTL=41 ID=50785 DF PROTO=TCP SPT=3223 DPT=445 WINDOW=53760 RES=0x00 SYN URGP=0
IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=175.41.139.175 DST=MY_EXTERNAL_IP LEN=44 TOS=0x00 PREC=0x00 TTL=50 ID=39294 PROTO=TCP SPT=80 DPT=49239 WINDOW=16384 RES=0x00 ACK SYN URGP=0

Conclusion: although the traffic has its source in different IP addresses, the source MAC address (00:27:0E:08:F1:8D) is always the same.

Yesterday, I tried to block this traffic:
Code:
iptables -A INPUT -m mac --mac-source 00:01:5C:31:19:40 -j DROP

Which first seemed to help.

But my syslog still reported martian packets:
Code:
[2310921.160091] martian source 10.0.0.2 from 10.0.0.1, on dev eth0
[2310921.160091] martian source 10.0.0.2 from 10.0.0.1, on dev eth0
[2310921.160097] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00
[2310921.160097] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00
[2333192.613987] martian source 91.65.144.59 from 10.0.0.2, on dev eth0
[2333192.613987] martian source 91.65.144.59 from 10.0.0.2, on dev eth0
[2333192.613994] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00
[2333192.613994] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00
...


...I still don't get it.

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum