Martian source / Martian packets

In Linux, by default, packets are considered individually for routing purposes. Thus, all the routing algorithm determines where to send a packet based on that packet itself, without taking into consideration that the packet may be a response packet of sorts.

In a typical setup, this means that all outgoing traffic is going out over one interface, say, eth0 even if the incoming packet was sent to interface eth1.

One typical side effect of this algorithm is creation of so called "martian packets". A martian packet is an IP packet which specifies a source or destination address that is either reserved for special-use by Internet Assigned Numbers Authority (IANA) or does not belong to the subnet on which this interface exists, and that makes no sense. [RFC 1812]. For example, if two interfaces are connected to two subnets of 10 network, and default router is configured for eth0, then without expisit routing statement you can't respond to the packet send  to eth1, which is not on the local segment for this network.

In other words, a martian packet header source IP address is usually a IP address that iether:

  • should not be routable
  • came from a wrong subnet.

For example, a 127.0.0.0/8 IP address coming through a router, would be labeled as being martian, as such packets should be local only and should not travel via the network.

RFC 1812 defines the term a martian source the following way:

"An IP source address is invalid if it is a special IP address, as defined in 4.2.2.11 or 5.3.7, or is not a unicast address.

"An IP destination address is invalid if it is among those defined as illegal destinations in 4.2.3.1, or is a Class E address (except 255.255.255.255).

"A router SHOULD NOT forward any packet that has an invalid IP source address or a source address on network 0. A router SHOULD NOT forward, except over a loop-back interface, any packet that has a source address on network 127. A router MAY have a switch that allows the network manager to disable these checks. If such a switch is provided, it MUST default to performing the checks.

"A router SHOULD NOT forward any packet that has an invalid IP destination address or a destination address on network 0. A router SHOULD NOT forward, except over a loop-back interface, any packet that has a destination address on network 127. A router MAY have a switch that allows the network manager to disable these checks. If such a switch is provided, it MUST default to performing the checks.

"If a router discards a packet because of these rules, it SHOULD log at least the IP source address, the IP destination address, and, if the problem was with the source address, the physical interface on which the packet was received and the link Layer address of the hostor router from which the packet was received."

Martian source is network traffic from the wrong subnet appearing on an interface. For example if:

eth0 has IP 192.168.0.1 on subnet 255.255.255.0
eth1 has IP 192.168.1.1 on subnet 255.255.255.0

This means that eth0 should only see IP traffic from IP addresses from its subnet (192.168.0.x) and eth1 should only see traffic from its subnet (192.168.1.x)

If an IP on the network is still configured with a previous network address (202.167.2.34) and is seen on eth1 it will be seen as martian source.

If one of the machines on the network 192.168.0.x is plugged into the wrong switch and is effectively on the same network segment (physical) as eth1, then you will see martian source from that IP address (or you have multiple networks that the Linux box is not aware of)

Martian source is not a major thing, but such messages help making you aware of the fact that something in your network setup is either setup incorrectly, or not configured optimally.

This behavior is controlled by setting in /etc/sysctl.conf

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

There is a other situation you can see the martian source.

Server 1 Server 2

eth0: 10.249.111.10   netmask 255.255.255.0

eth2: 192.168.111.10 netmask 255.255.255.0

eth2:1: 10.249.111.161 netmask 255.255.255.0

eth0: 10.249.111.11   netmask 255.255.255.0

eth2: 192.168.111.11 netmask 255.255.255.0

eth2:1: 10.249.111.162 netmask 255.255.255.0

Generally connect from server 1 eth0 to server 2 eth2:1 should be ok vice versa. But the kernel on server 2 will report :

IPv4: martian source 10.249.111.162 from 10.249.111.10, on dev eth2
ll header: 00000000: ff ff ff ff ff ff 02 13 02 00 28 7f 08 06 ..........(...

This is just first time the server 1 eth0 attempt to connect server 2 eth2:1 it will report the warning, first time will send arp request package. (When server 1 eth0 lost the server 2 eth2's mac address it will send arp request you will see this warning)

It looks like the kernel will compare with the source address with the eth2 address (192.168.111.xx) then it will find this is a martian source address.

Kernel just printk the source address and the actually destion address "martian source 10.249.111.162 from 10.249.111.10", is this a bug ? I think It should printk the eth2's address, that we know what happen.

What is martian source / martian packets的更多相关文章

  1. redis add 'vm.overcommit_memory = 1' to /etc/sysctl.conf

    w root@well:/etc# vim sysctl.conf #kernel.domainname = example.com # # /etc/sysctl.conf - Configurat ...

  2. MITM Proxy环境搭建

    MITM_Proxy环境搭建 环境要求 系统环境要求: Ubuntu 14.04 x64,CentOS 7 x64以上版本系统(建议使用xubuntu 14.04 x64,稳定硬件要求低) Pytho ...

  3. hadoop2.6.0 + hbase-1.0.0 伪分布配置

    1 基本配置 主机名: 192.168.145.154 hadoop2 ======= 2 etc/hadoop下文件配置 1)core-site.xml <configuration> ...

  4. Linux服务器下nginx的安全配置

    1.一些常识 linux下,要读取一个文件,首先需要具有对文件所在文件夹的执行权限,然后需要对文件的读取权限. php文件的执行不需要文件的执行权限,只需要nginx和php-fpm运行账户的读取权限 ...

  5. Windows Registry Security Check

    catalog . Windows注册表 . Windows注册表包含的攻击向量 . 注册表安全配置基线标定 1. Windows注册表 注册表(Registry,繁体中文版Windows称之为登录档 ...

  6. sysctl kernel parameter Optimization note

    syncookies cookies the connection state,when the ack arrives,then deal with the pause connection,ver ...

  7. nginx服务器中的安全配置

    一.关闭SELinux 安全增强型Linux(SELinux)的是一个Linux内核的功能,它提供支持访问控制的安全政策保护机制. 但是,SELinux带来的附加安全性和使用复杂性上不成比例,性价比不 ...

  8. 20步打造最安全的NGINX WEB服务器

    Nginx 是一个轻量级的,高性能的Web服务器以及反向代理和邮箱(IMAP/POP3)代理服务器.它运行在UNIX,GNU /linux,BSD 各种版本,Mac OS X,Solaris和Wind ...

  9. Linux System Reinforcement、Intrusion Detection Based On syslog

    目录 .文件系统及访问权限 . Linux Syslog . Linux日志审计 . 帐号安全管理 . 基础物理安全 . 系统编译环境安全 . 系统病毒.后门.rootkit安全 . 系统端口.服务安 ...

随机推荐

  1. AppWidgetProvider生命周期

    1.在桌面上添加小部件,让小部件可用会调用:onEnabled 2.作为通知会调用onReceive 3.小部件可用后会调用onUpdate,表明小部件状态由不可用变为可用发生了变化 4.作为通知又会 ...

  2. linux系统文件属性

    1  硬链接概念 硬链接是指通过索引节点(Inode)来进行链接,在Linux(ext2,ext3)文件系统中,保存在磁盘分区中的文件不管是什么类型都会给它分配一个编号,这个编号被称为索引节点编号(I ...

  3. selenium2.0处理case实例(二)

    本文通过具体代码处理过程, 来展示selenium中一些比较不常用的类的用法 1.javascriptExcutor,通过将driver强转成JavascriptExecutor类型, 调用execu ...

  4. json转换(c#后台生成json的方法)

    此文转自:http://bbs.csdn.net/topics/380200497,为了方便自己记忆才以文章形式保存. using System; using System.Collections.G ...

  5. 11_Servlet基础知识

    [概念] Servlet通常被称为服务端小程序,是运行在服务端的程序,用于处理及相应客户端的请求. Servlet是用java语言开发网页动态资源的技术. [特点] 1.Servlet是个特殊的Jav ...

  6. SQL 不同的数据类型

    SQL 不同的数据类型 1.SQL TEXT 2.SQL VARCHAR(SIZE) VARCHAR(X) Case: user name, email, country, subject, pass ...

  7. InstallShield: Component-Feature Associations

    Quote from: http://helpnet.installshield.com/installshield16helplib/IHelpFeatAssociateComponents.htm ...

  8. Mustache

    简要介绍 玩过node的人应该都知道ejs,jade. mustache和他们一样都是模板渲染引擎,我个人喜欢mustache,因为他非常简洁,代码量才600多行. mustache既可以在前端使用, ...

  9. 【应用】:shell crontab定时生成oracle表的数据到txt文件,并上传到ftp

    一.本人环境描述      1.oracle服务端装在win7 32位上,oracle版本为10.2.0.1.0      2.Linux为centos6.5 32位,安装在Oracle VM Vir ...

  10. c#WebBrowser进阶

    WebBrowser的基本功能就是访问网页,但是由于它本身就不在主线程上面,所以程序判断它什么时候加载完成了,比较麻烦.为此我集合从网上找到的内容,做了一个例子. 其中包括了给WebBrowser设置 ...