Hi, I had a similar problem with a friends router, got hundreds of martian source packets from 10.0.0.1 on ppp0. After trying to locate the problem on the router with no results we've called the provider. The next day the problem was gone! I think it was a misconfigured router on the providers side. Mike
-----Ursprüngliche Nachricht----- Von: Pep Serrano [mailto:mylists@montblanc.homeip.net] Gesendet: Mittwoch, 17. September 2003 17:20 An: suse-security@suse.com Betreff: [suse-security] martian source messages
Hi all
I am getting the following martian kernel messages since I changed my ISP:
martian source 81.56.221.174 from 127.0.0.1, on dev ppp0 ll header: 45:08:00:28:da:b8:00:00:7d:06:b5:27:7f:00:00:01:51:38:dd:ae:00:50
Now here is the configuration of my box:
I have an ADSL/Ethernet modem on ppp0: ppp0 Link encap:Point-to-Point Protocol inet addr:81.56.221.174 P-t-P:192.168.254.254 Mask:255.255.255.255
The modem is connected to eth0: eth0 Link encap:Ethernet HWaddr 00:60:97:4B:82:AA inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0
Additionally I have the loopback interface(127.0.0.1) and one more interface for local network: eth1 Link encap:Ethernet HWaddr 00:60:97:75:B4:28 inet addr:192.168.0.254 Bcast:192.168.0.255 Mask:255.255.255.0
I am running SuSEfirewall2 as FW and NAT router. Here are the main config parameters:
FW_DEV_EXT="ppp0 eth0" FW_DEV_INT="lo eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="ppp0"
I don't see where I am getting these "martian packets" from. I need some help.
Cheers Pep Serrano.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Gesendet über Mailserver: begros.de! Trotz sorgfältiger Virenprüfung können wir für eventuelle Schäden, die durch nicht erkannte Computerviren entstehen, keine Haftung übernehmen.0
Hi friends, I get an answer from a friend of mine. This weird traffic comes from Blaster. Check http://www.goonda.org/lists/dragonidsuser/2003-08/msg00095.htm to see the details. My error was to monitor traffic on ppp0 and belive that packets from 127.0.0.1 to my ppp0 IP was in the inside to ouside direction... Actually those packets were comming from outside to inside (from some clever windows guy). The lesson learn is that you must monitor traffic at least in two points when the packets are weird: if I had monitored at the same time my interface loopback (that simple god!) I would have seen there was no real traffic comming out from my local 127.0.0.1. Now I ask myself, should'nt my ISP stop routing packets which contain a local 127.0.0.0/32 IP as dest/orig ? My second question is about how to stop that... Before turning off the martian logs (which I would like to keep on), I am going to try an iptables rule so I drop any packets comming to ppp0 from any 127.0.0.0/32. Anybody tried that already? Will that stop those blaster martian logs? I'll try out and I'll tell you what happends. Is hard to escape windows bullshit even for unix users... I propose a separate "winnet" optimized for their MMS needs!!! Regards, Pep Serrano.
Pep Serrano wrote:
Now I ask myself, should'nt my ISP stop routing packets which contain a local 127.0.0.0/32 IP as dest/orig ?
Actually, NO. An ISP should be transparent. YOU should block whatever you want for your own network. Regards - Giannis Stoilis
On Saturday 20 September 2003 14:23, Stoilis Giannis wrote:
Actually, NO. An ISP should be transparent. YOU should block whatever you want for your own network.
I couldn't disagree more. IMHO an ISP shouldn't route ANY packet that has got a source address outside their network (including localhost), no matter where it's going to. If every ISP would follow this simple rule, it would be much easier to crack down on (D)DoS attacks. Best regards, Arjen
Hi! Isn't there a RFC which states that internet routers must not enroute the reserved IP addresses? I also want my ISP to be transparent, so it keeps being INTERNET. But the reserved IPs are not internet anyway. On Saturday 20 September 2003 14:23, Stoilis Giannis wrote:
Now I ask myself, should'nt my ISP stop routing packets which contain a local 127.0.0.0/32 IP as dest/orig ?
Actually, NO. An ISP should be transparent. YOU should block whatever you want for your own network.
On Sat, 2003-09-20 at 21:06, Pep Serrano wrote:
Hi!
Isn't there a RFC which states that internet routers must not enroute the reserved IP addresses?
I also want my ISP to be transparent, so it keeps being INTERNET. But the reserved IPs are not internet anyway. What ISP are you with? I want to make sure I'm not with them ...
That's what VPNs are for. An open ISP would just promote DOS attacks, M$ viri, and dirty networks cause by UDP broadcasting. Rather setup a VPN between the networks or machines that need to communicate via no standard protocols.
On Saturday 20 September 2003 14:23, Stoilis Giannis wrote:
Now I ask myself, should'nt my ISP stop routing packets which contain a local 127.0.0.0/32 IP as dest/orig ?
Actually, NO. An ISP should be transparent. YOU should block whatever you want for your own network.
--
--
Raymond Leach
On Saturday 20 September 2003 21:06, Pep Serrano wrote:
Isn't there a RFC which states that internet routers must not enroute the reserved IP addresses?
There is, RFC 1918 - Address Allocation for Private Internets although this document is about the private address space (not loopback address).
I also want my ISP to be transparent, so it keeps being INTERNET. But the reserved IPs are not internet anyway.
It may not be coming from your ISP. My guess is, that you have cable internet. If so, these packets are most likely from computers within the same network segment as you are. Check the network mask of the IP of your uplink. If you don't have a netmask equal to 255.255.255.255, the spoofed packets are most likely NOT coming from your ISP. Everything packet travelling on that segment is not subject to routing by your ISP. Best regards, Arjen
participants (5)
-
Arjen de Korte
-
Pep Serrano
-
Ray Leach
-
Stoilis Giannis
-
Wanning, Mike