On Wed, Oct 22, 2003 at 01:04:46PM -0700, Micxz wrote:
Has anyone else figured out what this was? Today I got:
Oct 22 12:54:50 mars kernel: martian source xx.xxx.xx.xxx from 127.0.0.1, on dev ppp0 Oct 22 12:54:50 mars kernel: ll header: 45:08:00:28
I recieved a dozen of those yesterday on my home system. What's more strange, the company's Checkpoint firewall started receiving same spoofed packets this morning at 8. Something weird is really going on on the Internet.
mars:~ # tcpdump -X -s 0 -n -vvv net 127.0.0.1 -i any tcpdump: WARNING: Promiscuous mode not supported on the "any" device tcpdump: listening on any 12:54:50.901690 127.0.0.1.80 > xx.xxx.xx.xxx.1947: R [tcp sum ok] 0:0(0) ack 1759903745 win 0 (ttl 126, id 61929, len 40) 0x0000 4500 0028 f1e9 0000 7e06 3050 7f00 0001 E..(....~.0P.... 0x0010 42f8 589d 0050 079b 0000 0000 68e6 0001 B.X..P......h... 0x0020 5014 0000 2468 0000 P...$h..
Where xx.xxx.xx.xxx is my dialup IP on ppp0. I'm not sure what this means and I cannot read much of this packet info. Does anyone know why it's happening?
It's an ack packet sent (or pretending to have been sent) from port 80 from a spoofed localhost address. I got another question. I have both FW_LOG_CRITICAL and FW_LOG_ALL set to "yes" but SuSEfirewall is not logging those spoofed packets from localhost. Does it mean that kernel drops martian source packets before they reach iptables? Thanks, -Kastus