Re: Martian Source

• Previous message: Oliver Nee: "Re: Martian Source"
• In reply to: Javier Togra A.: "Martian Source"
• Next in thread: Patrick Morris: "Re: Martian Source"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 1 May 2003 10:22:12 -0700
To: "Javier Togra A." <jtogra@inocar.mil.ec>

On Wed, Apr 30, 2003 at 09:06:53AM -0500, Javier Togra A. wrote:
> kernel: ll header: ff:ff:ff:ff:ff:ff:00:0a:04:b3:83:c0:08:06
> kernel: martian source 255.255.255.255 from 169.254.207.9, on dev eth0
> kernel: ll header: ff:ff:ff:ff:ff:ff:00:0a:04:b3:82:40:08:00
> kernel: martian source 169.254.207.9 from 169.254.207.9, on dev eth0
>
> Could some one tell me what does it mean, and what can I do ?

martian packets are simply ones the kernel can _easily_ tell are
spoofed or otherwise incorrect.

You'll notice the first one has the source set to the local-net
broadcast address -- obviously an incorrect packet. (When devices are
attempting to discover their IP address, they use a source address of
zeros and send _to_ the local-net broadcast address.)

The second packet has a source address set to the IP address of the
network interface that received the packet -- obviously an incorrect
packet.

I'd classify these as "mostly harmless" -- if you have security problems
that are remotely exploitable, chances are good the attacker already
knows about them. If you don't have any remotely exploitable security
problems, these are really nothing to be afraid of.

There isn't a lot you can do, aside from trace the linklevel header
(reporting ethernet MAC pairs of source and destination, I don't recall
in which order) and find the machine that is injecting these bad packets
onto the network.

-- 
"Learning curve encryption is much more powerful than
eliptical curve encryption." -- Alan Olsen

• application/pgp-signature attachment: stored

• Previous message: Oliver Nee: "Re: Martian Source"
• In reply to: Javier Togra A.: "Martian Source"
• Next in thread: Patrick Morris: "Re: Martian Source"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages putty 0.53 errors ... I'm using Putty 0.53b on Win XP and OpenSSH 3.5p1 on RH 8.0. ... "upgrading" my server to RH 8.0 I've been getting intermittent "Incorrect ... MAC received on packet", "Incoming packet was garbled on decryption", and ... "Incorrect CRC received on packet" errors...and sometimes it just plain ... (comp.security.ssh) Network problem with TCP packets ... Network Interface. ... I'm developing an application that sends packet at 5Hz over a TCP ... then the 256, and so on until there are no more free clusters, and the ... socket closes itself. ... (comp.os.vxworks) Re: Help? ... for sake of keeping things simple the path from domain1 to domain2 ... - have someone start the packet sniffer for you ... network interfaces into "promiscuous mode" and parses the raw data ... where the network interface discards packets ... (comp.security.misc) Re: Help? ... for sake of keeping things simple the path from domain1 to domain2 ... - have someone start the packet sniffer for you ... network interfaces into "promiscuous mode" and parses the raw data ... where the network interface discards packets ... (comp.security.misc) Re: Network traffic per process ... processes share a file descriptor for a TCP connection. ... Then the other writes 10 bytes, and a packet containing the 20 bytes ... How do you account for this packet? ... through a network interface with a process. ... (comp.os.linux.development.system)