Martian Packets from Dedicated Allocation (networks)

Klaipedaville · 08-14-2019, 12:30 AM

Hello guys,

Could anybody advise me please, on kernel's logging martian packets oddity?

The reason is that it logs connections that come from privately allocated networks (dedicated allocation). These are not regular martians such as 0.0.0.0/8, 127.0.0.0/8 and the like but it looks like this,

Code:

martian source my-ip-address from 146.88.240.4, on dev eth0

When I check on from IP addresses whois, their NetType: always says either Direct Allocation or Direct Assignment (feel free to check on 146.88.240.4 it's the real one).

Now the question is how do I block it (iptables?) and should I be generally worried about it? I mean are there any itables or any other general rules to block it, because it will take me forever to block millions of IP addresses one by one. I can turn off martian logging of course and the problem is solved but as far as I know I am not supposed to have them bugging my server's resources.

Would also highly appreciate it if someone could possibly guide me on how to check on my network, because these martians could also be the reason for some light network configuration issues. Although it's up and running perfectly well and I do not see any problems.

Many thanks in advance!

business_kid · 08-14-2019, 05:24 AM

If the IP keeps changing, I don't see how you can block them. Maybe if they're directed at a port or type, you can block those ports or types you're not using.

Klaipedaville · 08-14-2019, 09:25 AM

These are kinda martian packets, business kid. I mean to say they are most probably spoofed as nothing can be routed back to them. You can drop or reject let's say all the SYN packets by iptables for example -A INPUT -p tcp --syn -m state --state NEW -j DROP and I was wondering if there is anything like that for martian packets, for instance -A INPUT -p tcp --martian -m state --state NEW -j DROP.. or just any other general ways to block them in bulk, not one by one.. and there isn't just one IP, there are millions of them changing all the time..

business_kid · 08-14-2019, 10:52 AM

'Martian' isn't a packet type I came accross. What's in the header? Can you get a MAC address, and is there anything there?

Klaipedaville · 08-14-2019, 01:23 PM

There are no headers. It's all at the kernel level. It's not seen anywhere else unless you turn on the logging. It simply wastes your server's resources. You turn it on like this in /etc/sysctl.conf:

net.ipv4.conf.all.log_martians
net.ipv4.conf.default.log_martians

Feel free to learn about martian packets here https://www.cyberciti.biz/faq/linux-...rce-addresses/ or simply google it.