martian attack?

d3funct · 10-23-2002, 12:56 AM

Can anyone tell me what a martian attack is or explain to me what this means? I have several of these messages in my security logs and don't know what they mean or what to do with them. I have changed the name of the 'attacking' ip as it is a client of my ISP.

Oct 21 19:03:55 defunkt kernel: martian destination 0.0.0.0 from XX.212.104.1, dev eth1

Any explanation or advice is appreciated.

rohang · 10-23-2002, 01:28 AM

The only documentation that at least mentions this kind of logging I
found in /usr/src/linux-2.4/Documentation/networking/ip-sysctl.txt:

log_martians - BOOLEAN
Log packets with impossible addresses to kernel log.

This means that the kernel doesn't accept the source address

Someone else might be able to provide more information though...

Dave_bsr · 10-24-2002, 02:31 AM

How cool is that. if a packet is from an unknown source, it's martians. Who says that CS isn't fun??? Open source rules, frankly.

unSpawn · 10-24-2002, 07:31 AM

here's what the RFC says: http://wetelephant.cotse.com/CIE/RFC/1812/123.htm

d3funct · 10-24-2002, 09:30 AM

So would this constitute an attempted crack on my box? or any other sort of security concern?

unSpawn · 10-24-2002, 03:56 PM

Don't loose sleep over 'em if you block 'em at the firewall. If you want to know more you could read up on some routing basics docs.

d3funct · 10-24-2002, 04:07 PM

Ok, great thanks!

nonamenobody · 10-24-2002, 05:12 PM

This may be just me getting confused, but if 0.0.0.0 is it's destination why is it coming to your box?

It's source is XX.212.104.1, which is on your ISP's network, are you sure that this is not you WAN IP address?

It could be just my lack of understanding of course, someone care to explain?

d3funct · 10-24-2002, 11:09 PM

Welll, that's what confused me too. I haven't changed my firewall definitions or anything and this has only been happening for like the last week and a half or so.

unSpawn · 10-25-2002, 10:24 PM

You're on a public network and not everyone has his/her boxen configured well, run p0f (passive), queso or nmap and you have an idea what's on the other side if you're interested.
Btw, this can also happen on your own LAN if you've got a NIC "talking the wrong way" to the gateway, then it thinks it's got hostile traffic on the LAN if.

d3funct · 10-26-2002, 02:16 AM

Cool, I'm satisfied with that. Thanks unSpawn.

ciao