Martian source / Martian packets

In Linux, by default, packets are considered individually for routing purposes. Thus, all the routing algorithm determines where to send a packet based on that packet itself, without taking into consideration that the packet may be a response packet of sorts.

In a typical setup, this means that all outgoing traffic is going out over one interface, say, eth0 even if the incoming packet was sent to interface eth1.

One typical side effect of this algorithm is creation of so called "martian packets". A martian packet is an IP packet which specifies a source or destination address that is either reserved for special-use by Internet Assigned Numbers Authority (IANA) or does not belong to the subnet on which this interface exists, and that makes no sense. [RFC 1812]. For example, if two interfaces are connected to two subnets of 10 network, and default router is configured for eth0, then without expisit routing statement you can't respond to the packet send  to eth1, which is not on the local segment for this network.

In other words, a martian packet header source IP address is usually a IP address that iether:

  • should not be routable
  • came from a wrong subnet.

For example, a 127.0.0.0/8 IP address coming through a router, would be labeled as being martian, as such packets should be local only and should not travel via the network.

RFC 1812 defines the term a martian source the following way:

"An IP source address is invalid if it is a special IP address, as defined in 4.2.2.11 or 5.3.7, or is not a unicast address.

"An IP destination address is invalid if it is among those defined as illegal destinations in 4.2.3.1, or is a Class E address (except 255.255.255.255).

"A router SHOULD NOT forward any packet that has an invalid IP source address or a source address on network 0. A router SHOULD NOT forward, except over a loop-back interface, any packet that has a source address on network 127. A router MAY have a switch that allows the network manager to disable these checks. If such a switch is provided, it MUST default to performing the checks.

"A router SHOULD NOT forward any packet that has an invalid IP destination address or a destination address on network 0. A router SHOULD NOT forward, except over a loop-back interface, any packet that has a destination address on network 127. A router MAY have a switch that allows the network manager to disable these checks. If such a switch is provided, it MUST default to performing the checks.

"If a router discards a packet because of these rules, it SHOULD log at least the IP source address, the IP destination address, and, if the problem was with the source address, the physical interface on which the packet was received and the link Layer address of the hostor router from which the packet was received."

Martian source is network traffic from the wrong subnet appearing on an interface. For example if:

eth0 has IP 192.168.0.1 on subnet 255.255.255.0

eth1 has IP 192.168.1.1 on subnet 255.255.255.0

This means that eth0 should only see IP traffic from IP addresses from its subnet (192.168.0.x) and eth1 should only see traffic from its subnet (192.168.1.x)

If an IP on the network is still configured with a previous network address (202.167.2.34) and is seen on eth1 it will be seen as martian source.

If one of the machines on the network 192.168.0.x is plugged into the wrong switch and is effectively on the same network segment (physical) as eth1, then you will see martian source from that IP address (or you have multiple networks that the Linux box is not aware of)

Martian source is not a major thing, but such messages help making you aware of the fact that something in your network setup is either setup incorrectly, or not configured optimally.

This behavior is controlled by setting in /etc/sysctl.conf

# Controls source route verification

net.ipv4.conf.default.rp_filter = 1

There is a other situation you can see the martian source.

Server 1 Server 2

eth0: 10.249.111.10   netmask 255.255.255.0

eth2: 192.168.111.10 netmask 255.255.255.0

eth2:1: 10.249.111.161 netmask 255.255.255.0

eth0: 10.249.111.11   netmask 255.255.255.0

eth2: 192.168.111.11 netmask 255.255.255.0

eth2:1: 10.249.111.162 netmask 255.255.255.0

Generally connect from server 1 eth0 to server 2 eth2:1 should be ok vice versa. But the kernel on server 2 will report :

IPv4: martian source 10.249.111.162 from 10.249.111.10, on dev eth2
ll header: 00000000: ff ff ff ff ff ff 02 13 02 00 28 7f 08 06 ..........(...

This is just first time the server 1 eth0 attempt to connect server 2 eth2:1 it will report the warning, first time will send arp request package. (When server 1 eth0 lost the server 2 eth2's mac address it will send arp request you will see this warning)

It looks like the kernel will compare with the source address with the eth2 address (192.168.111.xx) then it will find this is a martian source address.

Kernel just printk the source address and the actually destion address "martian source 10.249.111.162 from 10.249.111.10", is this a bug ? I think It should printk the eth2's address, that we know what happen.

What is martian source / martian packets的更多相关文章

  1. redis add 'vm.overcommit_memory = 1' to /etc/sysctl.conf

    w root@well:/etc# vim sysctl.conf #kernel.domainname = example.com # # /etc/sysctl.conf - Configurat ...

  2. MITM Proxy环境搭建

    MITM_Proxy环境搭建 环境要求 系统环境要求: Ubuntu 14.04 x64,CentOS 7 x64以上版本系统(建议使用xubuntu 14.04 x64,稳定硬件要求低) Pytho ...

  3. hadoop2.6.0 + hbase-1.0.0 伪分布配置

    1 基本配置 主机名: 192.168.145.154 hadoop2 ======= 2 etc/hadoop下文件配置 1)core-site.xml <configuration> ...

  4. Linux服务器下nginx的安全配置

    1.一些常识 linux下,要读取一个文件,首先需要具有对文件所在文件夹的执行权限,然后需要对文件的读取权限. php文件的执行不需要文件的执行权限,只需要nginx和php-fpm运行账户的读取权限 ...

  5. Windows Registry Security Check

    catalog . Windows注册表 . Windows注册表包含的攻击向量 . 注册表安全配置基线标定 1. Windows注册表 注册表(Registry,繁体中文版Windows称之为登录档 ...

  6. sysctl kernel parameter Optimization note

    syncookies cookies the connection state,when the ack arrives,then deal with the pause connection,ver ...

  7. nginx服务器中的安全配置

    一.关闭SELinux 安全增强型Linux(SELinux)的是一个Linux内核的功能,它提供支持访问控制的安全政策保护机制. 但是,SELinux带来的附加安全性和使用复杂性上不成比例,性价比不 ...

  8. 20步打造最安全的NGINX WEB服务器

    Nginx 是一个轻量级的,高性能的Web服务器以及反向代理和邮箱(IMAP/POP3)代理服务器.它运行在UNIX,GNU /linux,BSD 各种版本,Mac OS X,Solaris和Wind ...

  9. Linux System Reinforcement、Intrusion Detection Based On syslog

    目录 .文件系统及访问权限 . Linux Syslog . Linux日志审计 . 帐号安全管理 . 基础物理安全 . 系统编译环境安全 . 系统病毒.后门.rootkit安全 . 系统端口.服务安 ...

随机推荐

  1. ubuntu中下运行asp.net程序

    首先在ubuntu下面是不能直接运行VISUAL STUTIO的,必须借助mono开发工具和xsp4.0.那我们就来看一下在ubuntu的电脑中怎么安装这两个工具. 首先安装mono,打开终端,输入a ...

  2. Java项目经验

    Java项目经验 转自CSDN. Java就是用来做项目的!Java的主要应用领域就是企业级的项目开发!要想从事企业级的项目开发,你必须掌握如下要点:1.掌握项目开发的基本步骤2.具备极强的面向对象的 ...

  3. 测试中的几个case

    一.页面上对引起 大量数据提交的 按钮/链接 点击一次后,  disable 需求: 对于重要的表单.数量庞大/响应慢的系统,在做提交时, 又有页面还在loading状态, 此时连续做两次点击, 经常 ...

  4. XCode实用好用插件集锦

    工欲善其事,必先利其器,iOS开发运用插件可以大大提高开发的效率. 原文地址: http://www.oschina.net/project/tag/432/xcode-plugins

  5. android Locat工作日志的使用

    #3.Logcat日志工具的使用 日志的等级: error:最高等级,错误信息,红色 warn:比较高,警告信息,橙色 debug:较高,调试信息,蓝色 info:一般,一般信息,绿色 verbose ...

  6. OpenJudge 2753 菲波那契数列

    1.链接地址: http://bailian.openjudge.cn/practice/2753 2.题目: 总时间限制: 1000ms 内存限制: 65536kB 描述 菲波那契数列是指这样的数列 ...

  7. linux shell编程学习笔记(二) --- grep命令

    Linux系统中grep命令是一种强大的文本搜索工具,它能使用正则表达式搜索文本,并把匹 配的行打印出来.grep全称是Global Regular Expression Print,表示全局正则表达 ...

  8. 排序算法THREE:归并排序MergeSort

    /** *归并排序思路:分治法思想 O(nlogn) * 把数组一分为二,二分为四 * 四和为二,二和为一 * */ /** * 归并排序主方法 *@params 待排序的数组 *@params 初始 ...

  9. [CSS]visibility 属性

    定义和用法 visibility 属性规定元素是否可见. 提示:即使不可见的元素也会占据页面上的空间.请使用 "display" 属性来创建不占据页面空间的不可见元素. 说明 这个 ...

  10. Yii表单模型使用及以数组形式提交表单数据

    按Yii文档里的描述,Yii在处理表单的一般过程是: 创建表单对应的模型类,设置字段验证规则 创建表单提交对应的action,处理提交的内容 在视图中创建表单form 在刚刚的一个小项目里,想使用aj ...