LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 04-02-2008, 01:00 AM   #1
l_m_b
LQ Newbie
 
Registered: Sep 2005
Location: Sofia
Distribution: openSUSE 10.3
Posts: 6

Rep: Reputation: 0
Question Again about martians - I need an advice


First – hello all of you!

Next - my problem. I googled a bit but I could not get very clear ideas and that’s why I decided to post a question. We’re running a small Windows network NAT-ed by an openSUSE gateway. eth0 is the external interface, eht1 – the internal. There are a lot of logged “martians” in /var/log/messages. Actually 10 martians arrive each 15 seconds or so and pollute our precious log. Here is part of it:

Apr 1 08:56:52 gateway kernel: martian source 77.61.167.146 from 0.0.0.0, on dev eth0
Apr 1 08:56:52 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:30:48:85:17:b9:08:00
Apr 1 08:57:09 gateway kernel: martian destination 0.0.0.0 from 75.193.144.186, dev eth0
Apr 1 08:57:09 gateway kernel: martian source 75.193.144.186 from 0.0.0.0, on dev eth0
Apr 1 08:57:09 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:30:48:85:17:b9:08:00
Apr 1 08:57:26 gateway kernel: martian destination 0.0.0.0 from 81.36.130.25, dev eth0
Apr 1 08:57:26 gateway kernel: martian source 81.36.130.25 from 0.0.0.0, on dev eth0
Apr 1 08:57:26 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:30:48:85:17:b9:08:00
Apr 1 08:57:45 gateway kernel: martian destination 0.0.0.0 from 92.126.165.236, dev eth0
Apr 1 08:57:45 gateway kernel: martian source 92.126.165.236 from 0.0.0.0, on dev eth0
Apr 1 08:57:45 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:30:48:85:17:b9:08:00

I wrote a letter to my ISP and they admitted that 00:30:48:85:17:b9 was the MAC of their gateway (our default route – a single entry in the /etc/sysconfig/network/routes). The rest of their reaction was quite unprofessional “why don’t you just switch the logging of martians off?”. No log – no problem. And I temporary did it The EtherType 08:00 marks an IP packet.

Now my questions:
1. What exactly means “from 0.0.0.0”? More general: source <ip1> from <ip2>? What is ip2? And why 0.0.0.0? I see that this is a broadcast packet from that part: ll header:
2. Why each time the source is different? Isn’t that suspicious?
3. What security issues may exist in this situation?
4. What kind of misconfiguration may cause these messages?

I want to thank for all your answers.
Regards!

Last edited by l_m_b; 04-02-2008 at 01:50 AM.
 
Old 04-02-2008, 06:22 AM   #2
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
hi,

hmm ...

Quote:
I wrote a letter to my ISP and they admitted that 00:30:48:85:17:b9 was the MAC of their gateway (our default route – a single entry in the /etc/sysconfig/network/routes).
simple in routing : every packet that passed thru a router simply get their L2 address (MAC) changed to router MAC address. --> vice versa on LAN switching.

Quote:
The rest of their reaction was quite unprofessional “why don’t you just switch the logging of martians off?”. No log – no problem. And I temporary did it The EtherType 08:00 marks an IP packet.
see above

answer :
1. 0.0.0.0/0 means all network aka the internet, could be DHCP or could be some small threat from rejected packet from other network or the internet (like virus etc).
2. again, 0/0 is not always a broadcast address (like DHCP).
3. depends on how big is your ISP network subnet/mask to have their DHCP. or could be a threat - see # 1.
4. depends on how many times a single IP try to enter your network in a certain period - if it persistent then that is a chance to be serious threat.
5. none - that is normal behaviour from syslog and firewalling system.

you are very welcome.

HTH.
 
Old 04-05-2008, 06:06 PM   #3
baldy3105
Member
 
Registered: Jan 2003
Location: Cambridgeshire, UK
Distribution: Mint (Desktop), Debian (Server)
Posts: 891

Rep: Reputation: 184Reputation: 184
A slight correction here. 0.0.0.0 as a _route_ does indeed mean the whole internet i.e the "default route". When you see 0.0.0.0 used as a source _address_ in a packet it means the source host does not know what ip address to use so uses 0.0.0.0. For instance a host that uses DHCP to obtain an IP address has to put something in the source address field, but has no address to use yet, so it uses 0.0.0.0.

The packets you are getting are broadcast packets (destination ffffffffffff) with a source ip of 0.0.0.0. This says to me that they probably are DHCP requests which your ISP should not be forwarding to you.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Which one? (Looking for advice) nine-hundred Linux - Distributions 4 12-15-2006 04:35 PM
Some Advice Please.... Phorem Linux - Enterprise 3 02-12-2006 12:28 PM
Enabling martians... fodavis Linux - Networking 2 04-19-2005 08:13 AM
Lots of Martians in my Syslog spikeygg Linux - Security 1 12-10-2004 04:54 PM
Some advice please Thewyzewun Linux - General 1 07-23-2004 11:27 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:20 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration