Martian source / Martian packets

In Linux, by default, packets are considered individually for routing purposes. Thus, all the routing algorithm determines where to send a packet based on that packet itself, without taking into consideration that the packet may be a response packet of sorts.

In a typical setup, this means that all outgoing traffic is going out over one interface, say, eth0 even if the incoming packet was sent to interface eth1.

One typical side effect of this algorithm is creation of so called "martian packets". A martian packet is an IP packet which specifies a source or destination address that is either reserved for special-use by Internet Assigned Numbers Authority (IANA) or does not belong to the subnet on which this interface exists, and that makes no sense. [RFC 1812]. For example, if two interfaces are connected to two subnets of 10 network, and default router is configured for eth0, then without expisit routing statement you can't respond to the packet send  to eth1, which is not on the local segment for this network.

In other words, a martian packet header source IP address is usually a IP address that iether:

  • should not be routable
  • came from a wrong subnet.

For example, a 127.0.0.0/8 IP address coming through a router, would be labeled as being martian, as such packets should be local only and should not travel via the network.

RFC 1812 defines the term a martian source the following way:

"An IP source address is invalid if it is a special IP address, as defined in 4.2.2.11 or 5.3.7, or is not a unicast address.

"An IP destination address is invalid if it is among those defined as illegal destinations in 4.2.3.1, or is a Class E address (except 255.255.255.255).

"A router SHOULD NOT forward any packet that has an invalid IP source address or a source address on network 0. A router SHOULD NOT forward, except over a loop-back interface, any packet that has a source address on network 127. A router MAY have a switch that allows the network manager to disable these checks. If such a switch is provided, it MUST default to performing the checks.

"A router SHOULD NOT forward any packet that has an invalid IP destination address or a destination address on network 0. A router SHOULD NOT forward, except over a loop-back interface, any packet that has a destination address on network 127. A router MAY have a switch that allows the network manager to disable these checks. If such a switch is provided, it MUST default to performing the checks.

"If a router discards a packet because of these rules, it SHOULD log at least the IP source address, the IP destination address, and, if the problem was with the source address, the physical interface on which the packet was received and the link Layer address of the hostor router from which the packet was received."

Martian source is network traffic from the wrong subnet appearing on an interface. For example if:

eth0 has IP 192.168.0.1 on subnet 255.255.255.0

eth1 has IP 192.168.1.1 on subnet 255.255.255.0

This means that eth0 should only see IP traffic from IP addresses from its subnet (192.168.0.x) and eth1 should only see traffic from its subnet (192.168.1.x)

If an IP on the network is still configured with a previous network address (202.167.2.34) and is seen on eth1 it will be seen as martian source.

If one of the machines on the network 192.168.0.x is plugged into the wrong switch and is effectively on the same network segment (physical) as eth1, then you will see martian source from that IP address (or you have multiple networks that the Linux box is not aware of)

Martian source is not a major thing, but such messages help making you aware of the fact that something in your network setup is either setup incorrectly, or not configured optimally.

This behavior is controlled by setting in /etc/sysctl.conf

# Controls source route verification

net.ipv4.conf.default.rp_filter = 1

There is a other situation you can see the martian source.

Server 1 Server 2

eth0: 10.249.111.10   netmask 255.255.255.0

eth2: 192.168.111.10 netmask 255.255.255.0

eth2:1: 10.249.111.161 netmask 255.255.255.0

eth0: 10.249.111.11   netmask 255.255.255.0

eth2: 192.168.111.11 netmask 255.255.255.0

eth2:1: 10.249.111.162 netmask 255.255.255.0

Generally connect from server 1 eth0 to server 2 eth2:1 should be ok vice versa. But the kernel on server 2 will report :

IPv4: martian source 10.249.111.162 from 10.249.111.10, on dev eth2
ll header: 00000000: ff ff ff ff ff ff 02 13 02 00 28 7f 08 06 ..........(...

This is just first time the server 1 eth0 attempt to connect server 2 eth2:1 it will report the warning, first time will send arp request package. (When server 1 eth0 lost the server 2 eth2's mac address it will send arp request you will see this warning)

It looks like the kernel will compare with the source address with the eth2 address (192.168.111.xx) then it will find this is a martian source address.

Kernel just printk the source address and the actually destion address "martian source 10.249.111.162 from 10.249.111.10", is this a bug ? I think It should printk the eth2's address, that we know what happen.

What is martian source / martian packets的更多相关文章

  1. redis add 'vm.overcommit_memory = 1' to /etc/sysctl.conf

    w root@well:/etc# vim sysctl.conf #kernel.domainname = example.com # # /etc/sysctl.conf - Configurat ...

  2. MITM Proxy环境搭建

    MITM_Proxy环境搭建 环境要求 系统环境要求: Ubuntu 14.04 x64,CentOS 7 x64以上版本系统(建议使用xubuntu 14.04 x64,稳定硬件要求低) Pytho ...

  3. hadoop2.6.0 + hbase-1.0.0 伪分布配置

    1 基本配置 主机名: 192.168.145.154 hadoop2 ======= 2 etc/hadoop下文件配置 1)core-site.xml <configuration> ...

  4. Linux服务器下nginx的安全配置

    1.一些常识 linux下,要读取一个文件,首先需要具有对文件所在文件夹的执行权限,然后需要对文件的读取权限. php文件的执行不需要文件的执行权限,只需要nginx和php-fpm运行账户的读取权限 ...

  5. Windows Registry Security Check

    catalog . Windows注册表 . Windows注册表包含的攻击向量 . 注册表安全配置基线标定 1. Windows注册表 注册表(Registry,繁体中文版Windows称之为登录档 ...

  6. sysctl kernel parameter Optimization note

    syncookies cookies the connection state,when the ack arrives,then deal with the pause connection,ver ...

  7. nginx服务器中的安全配置

    一.关闭SELinux 安全增强型Linux(SELinux)的是一个Linux内核的功能,它提供支持访问控制的安全政策保护机制. 但是,SELinux带来的附加安全性和使用复杂性上不成比例,性价比不 ...

  8. 20步打造最安全的NGINX WEB服务器

    Nginx 是一个轻量级的,高性能的Web服务器以及反向代理和邮箱(IMAP/POP3)代理服务器.它运行在UNIX,GNU /linux,BSD 各种版本,Mac OS X,Solaris和Wind ...

  9. Linux System Reinforcement、Intrusion Detection Based On syslog

    目录 .文件系统及访问权限 . Linux Syslog . Linux日志审计 . 帐号安全管理 . 基础物理安全 . 系统编译环境安全 . 系统病毒.后门.rootkit安全 . 系统端口.服务安 ...

随机推荐

  1. 用JQuery编写textarea,input,checkbox,select

    今天学习怎样用JQuery编写一些小的代码,小小的试了一下编写一个textarea,代码如下: <!DOCTYPE HTML> <html lang="en"&g ...

  2. Mysql 中 like 查询存在反斜杠的解决办法

    如 要查询   %\ABC\% 应该这样写, 写成四个反斜杠 like '%\\\\ABC\\\\%'

  3. ###使用phpmailer自动邮件提醒

    近期的一个小项目中需要用到邮件自动通知功能,搜了搜,发现phpmailer这个东西大家用的挺多的. 首先去sourceforge下载phpmailer,也可去我的网盘下载,我用的是5.1版本的. 看到 ...

  4. JavaScript对象应用-字符串和图片对象

    1.1 应用 String对象截取特定文字   利用String 对象的charAt() 和 substring() 方法等,截取特定文字或字段文字显示在页面上 <html> <he ...

  5. 11_Servlet的一些细节知识点

    [Servlet的细节知识点1-----一个Servlet映射到多个URL] 同一个Servlet可以被映射到多个URL上,即多个<servlet-mapping>元素的<servl ...

  6. OpenJudge/Poj 1083 Moving Tables

    1.链接地址: http://poj.org/problem?id=1083 http://bailian.openjudge.cn/practice/1083/ 2.题目: 总时间限制: 1000m ...

  7. 如何编写规范,灵活,稳定,高质量的HTML和css代码

    黄金定律 永远遵循同一套编码规范,不管有多少人共同参与同一项目,一定要确保每一行代码都像是同一个人编写的. 语法: 1.用两个空格来代替制表符(tab);2.嵌套元素应当缩进一次(两个空格); 3.对 ...

  8. jquery中交替点击事件toggle方法的使用示例

    jquery中交替点击事件toggle方法中有两个参数,分别是要交替执行的事件.如果不传参默认是显示隐藏功能,下面有个不错的示例,感兴趣的朋友可以参考下 复制代码代码如下: $('#clickId‘) ...

  9. err: exp-00056 rra-12154 exp-00000

    一直用的是win7系统+oracle11g r1 server端(后简称r1). 由于工作需要装了oracle11g r2 client端(后简称r2). 在装r2之前,r1的导出exp是没有问题的. ...

  10. 盗链网易163、腾讯QQ、新浪sina、百度Baidu的图片之PHP独立版

    网易相册频道,网易相册确实是一个高质量图片的地方,而且免费,唯一缺点是很多加了水印,但这个不重要了,无意间发现网易163相册频道的图片是防止盗链的,于是便自己写了一个小程序来突破这个. 本盗链图片最新 ...