Oct 23 15:34:38 trinity kernel: martian source 255.255.255.255 from 10.225.80.1, on dev eth1 Oct 23 15:34:38 trinity kernel: ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:0 8:00 --> as i heard, this problem is known and it is not an intrusion by another system - there is a malconfigured adress somewhere in the system oder in the kernel. But this message is filling my logs and my disks. So: - is it like i heard? (hopefully yes) - how can i solve this problem, so i will not get anymore message in my logs for that? Thx in advance! Roger
On Wed, 2002-10-23 at 15:38, Grosswiler Roger wrote:
Oct 23 15:34:38 trinity kernel: martian source 255.255.255.255 from 10.225.80.1, on dev eth1 Oct 23 15:34:38 trinity kernel: ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:0 8:00
Could be something like a smurf attack. A workstation pretending to be all the addresses on the network ....
--> as i heard, this problem is known and it is not an intrusion by another system - there is a malconfigured adress somewhere in the system oder in the kernel. But this message is filling my logs and my disks. So:
- is it like i heard? (hopefully yes) - how can i solve this problem, so i will not get anymore message in my logs for that?
Thx in advance!
Roger
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Mit, 23 Okt 2002, Raymond Leach wrote:
Could be something like a smurf attack. A workstation pretending to be all the addresses on the network ....
Right, we have those "martian source" loggings on the external interface at our inner FW, too ;) But it also can come from the inner network, when you configure a machine on the same hub/switch with different Network-Adresses (eg: you have 192.168.0.0/24, but your normal network have 10.0.0.0/24) These times i cant see any security related problems at all - but any comments are welcome... Greetings, -- Jörg Henner Fon: +49 (7 11) 48 90 83 - 0 ETES - EDV-Systemhaus GbR Fax: +49 (7 11) 48 90 83 - 50 Libanonstrasse 58 A * D-70184 Stuttgart Web: http://www.etes.de
On Mit, 23 Okt 2002, Raymond Leach wrote:
Could be something like a smurf attack. A workstation pretending to be all the addresses on the network ....
Right, we have those "martian source" loggings on the external interface at our inner FW, too ;)
But it also can come from the inner network, when you configure a machine on the same hub/switch with different Network-Adresses (eg: you have 192.168.0.0/24, but your normal network have 10.0.0.0/24) is there a possibility to find out? is there a small tool somewhere around?
These times i cant see any security related problems at all - but any comments are welcome... i found a lot of entries on google, unfortunately i am not a technician so it was not really helpful...see http://www.geocrawler.com/archives/3/287/2000/8/0/4275081/ http://boudicca.tux.org/mhonarc/ma-linux/2001-Jan/msg00370.html ..perhaps a little helper...thanx for ur help!
Greetings, -- Jörg Henner Fon: +49 (7 11) 48 90 83 - 0 ETES - EDV-Systemhaus GbR Fax: +49 (7 11) 48 90 83 - 50 Libanonstrasse 58 A * D-70184 Stuttgart Web: http://www.etes.de
On Mit, 23 Okt 2002, Grosswiler Roger wrote:
But it also can come from the inner network, when you configure a machine on the same hub/switch with different Network-Adresses (eg: you have 192.168.0.0/24, but your normal network have 10.0.0.0/24) is there a possibility to find out? is there a small tool somewhere around?
etherreal, tcpdump .... try to find the MAC-Adress ;) An other workaround could be: - half your Network (plug-out 50% of all Network-Connectors to your hub/switch), and see about the problem is in the rest of the other 50% => do this as often as you need... (this was a helpfull idea/problem-solving from the older BNC-based Networks ;)
These times i cant see any security related problems at all - but any comments are welcome... i found a lot of entries on google, unfortunately i am not a technician so it was not really helpful...see http://www.geocrawler.com/archives/3/287/2000/8/0/4275081/ http://boudicca.tux.org/mhonarc/ma-linux/2001-Jan/msg00370.html ..perhaps a little helper...thanx for ur help!
Those articels listing the Kernel-Setup and/or stated to define it run-time within the /proc filesystem. Other articles related to the Kernel-Source ;) Greetings, -- Jörg Henner Fon: +49 (7 11) 48 90 83 - 0 ETES - EDV-Systemhaus GbR Fax: +49 (7 11) 48 90 83 - 50 Libanonstrasse 58 A * D-70184 Stuttgart Web: http://www.etes.de ______________________________________ Inflex - eMail Scanning and Protection Queries to: postmaster@etes.de
On Wed, Oct 23, 2002 at 04:34:53PM +0200, Joerg Henner wrote:
etherreal, tcpdump .... try to find the MAC-Adress ;)
The MAC address was in the log message, FWIW: ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00 ^^^^^^^^^^^^^^^^^ Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
On Mit, 23 Okt 2002, Olaf Kirch wrote:
etherreal, tcpdump .... try to find the MAC-Adress ;) The MAC address was in the log message, FWIW: ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00 ^^^^^^^^^^^^^^^^^
*giggl* - well, i meant that HE has to find the Network-Card with the specified MAC-Adress ;)))) Greetings, -- Jörg Henner Fon: +49 (7 11) 48 90 83 - 0 ETES - EDV-Systemhaus GbR Fax: +49 (7 11) 48 90 83 - 50 Libanonstrasse 58 A * D-70184 Stuttgart Web: http://www.etes.de ______________________________________ Inflex - eMail Scanning and Protection Queries to: postmaster@etes.de
Joerg Henner wrote: [...]
ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00 ^^^^^^^^^^^^^^^^^
*giggl* - well, i meant that HE has to find the Network-Card with the specified MAC-Adress ;))))
arp Or am I missing something here? Christian
Joerg Henner wrote: [...]
ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00 ^^^^^^^^^^^^^^^^^ This does not really seem to be a MAC-Adress.. http://www.susesecurity.com/faq/ -> see about in the middle for Martians... I found another link...how about this one?
*giggl* - well, i meant that HE has to find the Network-Card with the specified MAC-Adress ;))))
arp
Or am I missing something here?
Christian
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Thu, Oct 24, 2002 at 07:48:58AM +0200, Grosswiler Roger wrote:
ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00 ^^^^^^^^^^^^^^^^^ This does not really seem to be a MAC-Adress..
What makes you think so? The kernel logs the low-level header, which, in this case, is an Ethernet header. An Ethernet header looks like this: 6 bytes of destination MAC. A MAC of all ones is the Ethernet broadcast address. 6 bytes of source MAC. 00:09:7b:8d:08:54 in this case 2 bytes of either packet length for LLC and all thast garbage, or a packet type. 0x800 is the packet type for IP. All you need to do is find the host on your networks that has an Ethernet card with said MAC address. One possible explanation for this case of Martians may be that you have a machine with two network cards connected to the same physical network; either by design or accident. Which would explain why the kernel printk is only triggered by broadcasts. My guess is that this is more of a misconfiguration issue than a security related problem.
I found another link...how about this one?
Which one? :) Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
On Thu, 24 Oct 2002 08:39:17 +0200
Olaf Kirch
On Thu, Oct 24, 2002 at 07:48:58AM +0200, Grosswiler Roger wrote:
ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00 ^^^^^^^^^^^^^^^^^ This does not really seem to be a MAC-Adress..
What makes you think so? The kernel logs the low-level header, which, in this case, is an Ethernet header. An Ethernet header looks like this:
6 bytes of destination MAC. A MAC of all ones is the Ethernet broadcast address. 6 bytes of source MAC. 00:09:7b:8d:08:54 in this case 2 bytes of either packet length for LLC and all thast garbage, or a packet type. 0x800 is the packet type for IP.
All you need to do is find the host on your networks that has an Ethernet card with said MAC address.
One possible explanation for this case of Martians may be that you have a machine with two network cards connected to the same physical network; either by design or accident. Which would explain why the kernel printk is only triggered by broadcasts.
My guess is that this is more of a misconfiguration issue than a security related problem.
I get this logs from machines with virtual interfaces (eth0:1). The box uses often the eth0:0 address insteed of the address from eth0:1 -- andy
On Thu, 24 Oct 2002, Grosswiler Roger wrote:
Joerg Henner wrote: [...]
ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00 ^^^^^^^^^^^^^^^^^ This does not really seem to be a MAC-Adress.. http://www.susesecurity.com/faq/ -> see about in the middle for Martians... I found another link...how about this one?
*giggl* - well, i meant that HE has to find the Network-Card with the specified MAC-Adress ;))))
arp
Or am I missing something here?
Christian
ok, Roger gave you the link where to read more about. This is a message from kernel routing. Please check both lines in /var/log/messages, the first on tells you the (claimed) source IP and the destination IP and the interface where it was detected. The second one (see above) contains the MACs from where to where the packet should be routed. Both should be interfaces on the same net segment, one belongs probably to the listed interface (eth0). What does these messages tell you? if the (claimed) sorce IP is a valid IP in your LAN, and these messages are random somehow (well, I need to explain this more detailled ..), then it's most likely a mis-configured client, for example routing (see in docs mentioned above). If the source IP is not valid in your LAN, and you have these messages in a sequence (for example every 2 seconds, or increasing IP), then it's most likely that someone scans with spoofed IPs. What to do? If you don't care about the scans (probably 'cause you know that your firewall is prepared for it:), then you may just ignore these messages. If you feel that its a mis-configured client, fix it. You simply may switch of the logging by echo 0 >/proc/sys/net/ipv4/conf/<interface>/log_martians Does this answer you question? Achim
On Thu, 24 Oct 2002, Grosswiler Roger wrote:
Joerg Henner wrote: [...]
Once again, complete:
Oct 24 00:00:23 trinity kernel: martian source 255.255.255.255 from
10.225.80.1, on dev eth1
Oct 24 00:00:23 trinity kernel: ll header:
ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00
ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00
^^^^^^^^^^^^^^^^^
This does not really seem to be a MAC-Adress..
http://www.susesecurity.com/faq/ -> see about in the middle for
Martians...
I found another link...how about this one? *giggl* - well, i meant that HE has to find the Network-Card with
the specified MAC-Adress ;)))) arp
arp - n was a good idea...
Address HWtype HWaddress Flags Mask
Iface
217.162.200.1 ether 00:09:7B:8D:08:54 C
eth1 My Net is Class A 10.0.0.0
Subnet is 255.0.0.0
IP 217.162.200.80 -> one IP of my Cablemodem
My Server really has 2 Network-Cards: eth0 -> LAN 10.0.0.0/8
eth1 -> WAN 217.162.200.80/Cablemodem
eth0 Link encap:Ethernet HWaddr 00:04:5A:65:F8:B7
inet addr:10.0.0.2 Bcast:10.255.255.255 Mask:255.0.0.0
inet6 addr: fe80::204:5aff:fe65:f8b7/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:29371 errors:0 dropped:0 overruns:0 frame:0
TX packets:27561 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:4649259 (4.4 Mb) TX bytes:5552056 (5.2 Mb)
Interrupt:5 Base address:0x7000
eth1 Link encap:Ethernet HWaddr 00:00:E8:56:EB:D7
inet addr:217.162.200.80 Bcast:255.255.255.255 Mask:255.255.248.0
inet6 addr: fe80::200:e8ff:fe56:ebd7/10 Scope:Link
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2514331 errors:0 dropped:0 overruns:0 frame:0
TX packets:644829 errors:0 dropped:0 overruns:0 carrier:0
collisions:428 txqueuelen:100
RX bytes:181205855 (172.8 Mb) TX bytes:112859445 (107.6 Mb)
Interrupt:11 Base address:0x220
2 interfaces are needed for the routing between internet/lan. see ifconfig
below. i am nearly sure, that there is a misconfiguration error. Or am I missing something here? Christian ok, Roger gave you the link where to read more about.
This is a message from kernel routing.
Please check both lines in /var/log/messages, the first on tells you the
(claimed) source IP and the destination IP and the interface where it
was detected. The second one (see above) contains the MACs from where to
where the packet should be routed. Both should be interfaces on the same
net segment, one belongs probably to the listed interface (eth0). What does these messages tell you?
if the (claimed) sorce IP is a valid IP in your LAN, and these messages
are random somehow (well, I need to explain this more detailled ..),
then it's most likely a mis-configured client, for example routing (see
in docs mentioned above).
If the source IP is not valid in your LAN, and you have these messages
in a sequence (for example every 2 seconds, or increasing IP), then it's
most likely that someone scans with spoofed IPs. What to do?
If you don't care about the scans (probably 'cause you know that your
firewall is prepared for it:), then you may just ignore these messages.
If you feel that its a mis-configured client, fix it.
You simply may switch of the logging by echo 0 >/proc/sys/net/ipv4/conf/<interface>/log_martians
i've done this as normally i trust my firewall.... Does this answer you question?
Achim --
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@suse.com
Security-related bug reports go to security@suse.de, not here
On Thu, 24 Oct 2002, Grosswiler Roger wrote:
ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00 ^^^^^^^^^^^^^^^^^ This does not really seem to be a MAC-Adress.. http://www.susesecurity.com/faq/ -> see about in the middle for Martians... I found another link...how about this one?
*giggl* - well, i meant that HE has to find the Network-Card with
Joerg Henner wrote: [...] the specified MAC-Adress ;))))
arp
Or am I missing something here?
Christian
ok, Roger gave you the link where to read more about. This is a message from kernel routing. Please check both lines in /var/log/messages, the first on tells you the (claimed) source IP and the destination IP and the interface where it was detected. The second one (see above) contains the MACs from where to where the packet should be routed. Both should be interfaces on the same net segment, one belongs probably to the listed interface (eth0).
What does these messages tell you? if the (claimed) sorce IP is a valid IP in your LAN, and these messages are random somehow (well, I need to explain this more detailled ..), then it's most likely a mis-configured client, for example routing (see in docs mentioned above). If the source IP is not valid in your LAN, and you have these messages in a sequence (for example every 2 seconds, or increasing IP), then it's most likely that someone scans with spoofed IPs.
What to do? If you don't care about the scans (probably 'cause you know that your firewall is prepared for it:), then you may just ignore these messages. If you feel that its a mis-configured client, fix it. You simply may switch of the logging by
echo 0 >/proc/sys/net/ipv4/conf/<interface>/log_martians
By the way: echo 0 >/proc/sys/net/ipv4/conf/eth1/log_martians did not work as i still get those messages...
Does this answer you question? Achim
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Thu, 24 Oct 2002, Grosswiler Roger wrote:
You simply may switch of the logging by
echo 0 >/proc/sys/net/ipv4/conf/<interface>/log_martians By the way: echo 0 >/proc/sys/net/ipv4/conf/eth1/log_martians did not work as i still get those messages...
silly question: are you shure that you did it for the right interface: eth1 ? Achim
On Thu, 24 Oct 2002, Grosswiler Roger wrote:
You simply may switch of the logging by
echo 0 >/proc/sys/net/ipv4/conf/<interface>/log_martians By the way: echo 0 >/proc/sys/net/ipv4/conf/eth1/log_martians did not work as i still get those messages...
silly question: are you shure that you did it for the right interface: eth1 ? yes, this was copy-paste of what i was typing...
Achim
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Thu, 24 Oct 2002 10:11:57 +0200 (CEST)
"Grosswiler Roger"
On Thu, 24 Oct 2002, Grosswiler Roger wrote:
ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00 ^^^^^^^^^^^^^^^^^ This does not really seem to be a MAC-Adress.. http://www.susesecurity.com/faq/ -> see about in the middle for Martians... I found another link...how about this one?
*giggl* - well, i meant that HE has to find the Network-Card with
Joerg Henner wrote: [...] the specified MAC-Adress ;))))
arp
Or am I missing something here?
Christian
ok, Roger gave you the link where to read more about. This is a message from kernel routing. Please check both lines in /var/log/messages, the first on tells you the (claimed) source IP and the destination IP and the interface where it was detected. The second one (see above) contains the MACs from where to where the packet should be routed. Both should be interfaces on the same net segment, one belongs probably to the listed interface (eth0).
What does these messages tell you? if the (claimed) sorce IP is a valid IP in your LAN, and these messages are random somehow (well, I need to explain this more detailled ..), then it's most likely a mis-configured client, for example routing (see in docs mentioned above). If the source IP is not valid in your LAN, and you have these messages in a sequence (for example every 2 seconds, or increasing IP), then it's most likely that someone scans with spoofed IPs.
What to do? If you don't care about the scans (probably 'cause you know that your firewall is prepared for it:), then you may just ignore these messages. If you feel that its a mis-configured client, fix it. You simply may switch of the logging by
echo 0 >/proc/sys/net/ipv4/conf/<interface>/log_martians
By the way: echo 0 >/proc/sys/net/ipv4/conf/eth1/log_martians did not work as i still get those messages...
Please try echo 0 >/proc/sys/net/ipv4/conf/eth1/log_martians echo 0 >/proc/sys/net/ipv4/conf/all/log_martians echo 0 >/proc/sys/net/ipv4/conf/default/log_martians
Does this answer you question? Achim
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- ------------------------ /"\ Andreas.Tirok@beusen.de \ / ASCII Ribbon Campaign fon: +49 30 549932-0 X Against HTML Mail fax: +49 30 549932-21 / \
On Thu, 24 Oct 2002 10:11:57 +0200 (CEST) "Grosswiler Roger"
wrote: On Thu, 24 Oct 2002, Grosswiler Roger wrote:
Joerg Henner wrote: [...]
>ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00 > ^^^^^^^^^^^^^^^^^ This does not really seem to be a MAC-Adress.. http://www.susesecurity.com/faq/ -> see about in the middle for
*giggl* - well, i meant that HE has to find the Network-Card
with
I found another link...how about this one? the specified MAC-Adress ;))))
arp
Or am I missing something here?
Christian
ok, Roger gave you the link where to read more about. This is a message from kernel routing. Please check both lines in /var/log/messages, the first on tells you
Martians... the (claimed) source IP and the destination IP and the interface where it was detected. The second one (see above) contains the MACs from where to where the packet should be routed. Both should be interfaces on the same net segment, one belongs probably to the listed interface (eth0).
What does these messages tell you? if the (claimed) sorce IP is a valid IP in your LAN, and these
messages are random somehow (well, I need to explain this more detailled ..), then it's most likely a mis-configured client, for example routing (see in docs mentioned above).
If the source IP is not valid in your LAN, and you have these messages in a sequence (for example every 2 seconds, or increasing IP), then it's most likely that someone scans with spoofed IPs.
What to do? If you don't care about the scans (probably 'cause you know that your firewall is prepared for it:), then you may just ignore these messages. If you feel that its a mis-configured client, fix it. You simply may switch of the logging by
echo 0 >/proc/sys/net/ipv4/conf/<interface>/log_martians By the way: echo 0 >/proc/sys/net/ipv4/conf/eth1/log_martians did not work as i still get those messages...
Please try
echo 0 >/proc/sys/net/ipv4/conf/eth1/log_martians echo 0 >/proc/sys/net/ipv4/conf/all/log_martians echo 0 >/proc/sys/net/ipv4/conf/default/log_martians
Does this answer you question? Achim
Yop! Now i dont get them any longer! Thanks!
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- ------------------------ /"\ Andreas.Tirok@beusen.de \ / ASCII Ribbon Campaign fon: +49 30 549932-0 X Against HTML Mail fax: +49 30 549932-21 / \
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Often this also happens, when the patch cables are plugged in the wrong way, the LAN side cable is then in the WAN side slot... Did you checked this out? Greetings Reinhardt Mit freundlichen Grüssen Comptek informatik AG Reinhardt Klippel ________________________________ Comptek informatik AG Poststrasse 9 CH-6300 Zug Tel. ++41 +41 720 20 90 Fax ++41 +41 720 20 99 http://www.comptek.ch ________________________________ At 16:34 23.10.2002 +0200, Joerg Henner wrote:
On Mit, 23 Okt 2002, Grosswiler Roger wrote:
But it also can come from the inner network, when you configure a machine on the same hub/switch with different Network-Adresses (eg: you have 192.168.0.0/24, but your normal network have 10.0.0.0/24) is there a possibility to find out? is there a small tool somewhere around?
etherreal, tcpdump .... try to find the MAC-Adress ;)
An other workaround could be:
- half your Network (plug-out 50% of all Network-Connectors to your hub/switch), and see about the problem is in the rest of the other 50%
=> do this as often as you need...
(this was a helpfull idea/problem-solving from the older BNC-based Networks ;)
These times i cant see any security related problems at all - but any comments are welcome... i found a lot of entries on google, unfortunately i am not a technician so it was not really helpful...see http://www.geocrawler.com/archives/3/287/2000/8/0/4275081/ http://boudicca.tux.org/mhonarc/ma-linux/2001-Jan/msg00370.html ..perhaps a little helper...thanx for ur help!
Those articels listing the Kernel-Setup and/or stated to define it run-time within the /proc filesystem. Other articles related to the Kernel-Source ;)
Greetings, -- Jörg Henner Fon: +49 (7 11) 48 90 83 - 0 ETES - EDV-Systemhaus GbR Fax: +49 (7 11) 48 90 83 - 50 Libanonstrasse 58 A * D-70184 Stuttgart Web: http://www.etes.de
______________________________________ Inflex - eMail Scanning and Protection Queries to: postmaster@etes.de
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (8)
-
Achim Hoffmann
-
Andreas Tirok
-
Christian Lox
-
Comptek informatik AG - R. Klippel
-
Grosswiler Roger
-
Joerg Henner
-
Olaf Kirch
-
Raymond Leach