Again about martians - I need an advice
 

First – hello all of you!

Next - my problem. I googled a bit but I could not get very clear ideas and that’s why I decided to post a question. We’re running a small Windows network NAT-ed by an openSUSE gateway. eth0 is the external interface, eht1 – the internal. There are a lot of logged “martians” in /var/log/messages. Actually 10 martians arrive each 15 seconds or so and pollute our precious log. Here is part of it:

Apr 1 08:56:52 gateway kernel: martian source 77.61.167.146 from 0.0.0.0, on dev eth0
Apr 1 08:56:52 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:30:48:85:17:b9:08:00
Apr 1 08:57:09 gateway kernel: martian destination 0.0.0.0 from 75.193.144.186, dev eth0
Apr 1 08:57:09 gateway kernel: martian source 75.193.144.186 from 0.0.0.0, on dev eth0
Apr 1 08:57:09 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:30:48:85:17:b9:08:00
Apr 1 08:57:26 gateway kernel: martian destination 0.0.0.0 from 81.36.130.25, dev eth0
Apr 1 08:57:26 gateway kernel: martian source 81.36.130.25 from 0.0.0.0, on dev eth0
Apr 1 08:57:26 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:30:48:85:17:b9:08:00
Apr 1 08:57:45 gateway kernel: martian destination 0.0.0.0 from 92.126.165.236, dev eth0
Apr 1 08:57:45 gateway kernel: martian source 92.126.165.236 from 0.0.0.0, on dev eth0
Apr 1 08:57:45 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:30:48:85:17:b9:08:00

I wrote a letter to my ISP and they admitted that 00:30:48:85:17:b9 was the MAC of their gateway (our default route – a single entry in the /etc/sysconfig/network/routes). The rest of their reaction was quite unprofessional “why don’t you just switch the logging of martians off?”. No log – no problem. And I temporary did it ;) The EtherType 08:00 marks an IP packet.

Now my questions:
1. What exactly means “from 0.0.0.0”? More general: source <ip1> from <ip2>? What is ip2? And why 0.0.0.0? I see that this is a broadcast packet from that part: ll header:
2. Why each time the source is different? Isn’t that suspicious?
3. What security issues may exist in this situation?
4. What kind of misconfiguration may cause these messages?

I want to thank for all your answers.
Regards!

hi,

hmm ...

simple :) in routing : every packet that passed thru a router simply get their L2 address (MAC) changed to router MAC address. --> vice versa on LAN switching.

see above :)

answer :
1. 0.0.0.0/0 means all network aka the internet, could be DHCP or could be some small threat from rejected packet from other network or the internet (like virus etc).
2. again, 0/0 is not always a broadcast address (like DHCP).
3. depends on how big is your ISP network subnet/mask to have their DHCP. or could be a threat - see # 1.
4. depends on how many times a single IP try to enter your network in a certain period - if it persistent then that is a chance to be serious threat.
5. none - that is normal behaviour from syslog and firewalling system.

you are very welcome.

HTH.

A slight correction here. 0.0.0.0 as a _route_ does indeed mean the whole internet i.e the "default route". When you see 0.0.0.0 used as a source _address_ in a packet it means the source host does not know what ip address to use so uses 0.0.0.0. For instance a host that uses DHCP to obtain an IP address has to put something in the source address field, but has no address to use yet, so it uses 0.0.0.0.

The packets you are getting are broadcast packets (destination ffffffffffff) with a source ip of 0.0.0.0. This says to me that they probably are DHCP requests which your ISP should not be forwarding to you.