Martian source / Martian packets

In Linux, by default, packets are considered individually for routing purposes. Thus, all the routing algorithm determines where to send a packet based on that packet itself, without taking into consideration that the packet may be a response packet of sorts.

In a typical setup, this means that all outgoing traffic is going out over one interface, say, eth0 even if the incoming packet was sent to interface eth1.

One typical side effect of this algorithm is creation of so called "martian packets". A martian packet is an IP packet which specifies a source or destination address that is either reserved for special-use by Internet Assigned Numbers Authority (IANA) or does not belong to the subnet on which this interface exists, and that makes no sense. [RFC 1812]. For example, if two interfaces are connected to two subnets of 10 network, and default router is configured for eth0, then without expisit routing statement you can't respond to the packet send  to eth1, which is not on the local segment for this network.

In other words, a martian packet header source IP address is usually a IP address that iether:

  • should not be routable
  • came from a wrong subnet.

For example, a 127.0.0.0/8 IP address coming through a router, would be labeled as being martian, as such packets should be local only and should not travel via the network.

RFC 1812 defines the term a martian source the following way:

"An IP source address is invalid if it is a special IP address, as defined in 4.2.2.11 or 5.3.7, or is not a unicast address.

"An IP destination address is invalid if it is among those defined as illegal destinations in 4.2.3.1, or is a Class E address (except 255.255.255.255).

"A router SHOULD NOT forward any packet that has an invalid IP source address or a source address on network 0. A router SHOULD NOT forward, except over a loop-back interface, any packet that has a source address on network 127. A router MAY have a switch that allows the network manager to disable these checks. If such a switch is provided, it MUST default to performing the checks.

"A router SHOULD NOT forward any packet that has an invalid IP destination address or a destination address on network 0. A router SHOULD NOT forward, except over a loop-back interface, any packet that has a destination address on network 127. A router MAY have a switch that allows the network manager to disable these checks. If such a switch is provided, it MUST default to performing the checks.

"If a router discards a packet because of these rules, it SHOULD log at least the IP source address, the IP destination address, and, if the problem was with the source address, the physical interface on which the packet was received and the link Layer address of the hostor router from which the packet was received."

Martian source is network traffic from the wrong subnet appearing on an interface. For example if:

  1. eth0 has IP 192.168.0.1 on subnet 255.255.255.0
  2. eth1 has IP 192.168.1.1 on subnet 255.255.255.0

This means that eth0 should only see IP traffic from IP addresses from its subnet (192.168.0.x) and eth1 should only see traffic from its subnet (192.168.1.x)

If an IP on the network is still configured with a previous network address (202.167.2.34) and is seen on eth1 it will be seen as martian source.

If one of the machines on the network 192.168.0.x is plugged into the wrong switch and is effectively on the same network segment (physical) as eth1, then you will see martian source from that IP address (or you have multiple networks that the Linux box is not aware of)

Martian source is not a major thing, but such messages help making you aware of the fact that something in your network setup is either setup incorrectly, or not configured optimally.

This behavior is controlled by setting in /etc/sysctl.conf

  1. # Controls source route verification
  2. net.ipv4.conf.default.rp_filter = 1

There is a other situation you can see the martian source.

Server 1 Server 2

eth0: 10.249.111.10   netmask 255.255.255.0

eth2: 192.168.111.10 netmask 255.255.255.0

eth2:1: 10.249.111.161 netmask 255.255.255.0

eth0: 10.249.111.11   netmask 255.255.255.0

eth2: 192.168.111.11 netmask 255.255.255.0

eth2:1: 10.249.111.162 netmask 255.255.255.0

Generally connect from server 1 eth0 to server 2 eth2:1 should be ok vice versa. But the kernel on server 2 will report :

IPv4: martian source 10.249.111.162 from 10.249.111.10, on dev eth2
ll header: 00000000: ff ff ff ff ff ff 02 13 02 00 28 7f 08 06 ..........(...

This is just first time the server 1 eth0 attempt to connect server 2 eth2:1 it will report the warning, first time will send arp request package. (When server 1 eth0 lost the server 2 eth2's mac address it will send arp request you will see this warning)

It looks like the kernel will compare with the source address with the eth2 address (192.168.111.xx) then it will find this is a martian source address.

Kernel just printk the source address and the actually destion address "martian source 10.249.111.162 from 10.249.111.10", is this a bug ? I think It should printk the eth2's address, that we know what happen.

What is martian source / martian packets的更多相关文章

  1. redis add 'vm.overcommit_memory = 1' to /etc/sysctl.conf

    w root@well:/etc# vim sysctl.conf #kernel.domainname = example.com # # /etc/sysctl.conf - Configurat ...

  2. MITM Proxy环境搭建

    MITM_Proxy环境搭建 环境要求 系统环境要求: Ubuntu 14.04 x64,CentOS 7 x64以上版本系统(建议使用xubuntu 14.04 x64,稳定硬件要求低) Pytho ...

  3. hadoop2.6.0 + hbase-1.0.0 伪分布配置

    1 基本配置 主机名: 192.168.145.154 hadoop2 ======= 2 etc/hadoop下文件配置 1)core-site.xml <configuration> ...

  4. Linux服务器下nginx的安全配置

    1.一些常识 linux下,要读取一个文件,首先需要具有对文件所在文件夹的执行权限,然后需要对文件的读取权限. php文件的执行不需要文件的执行权限,只需要nginx和php-fpm运行账户的读取权限 ...

  5. Windows Registry Security Check

    catalog . Windows注册表 . Windows注册表包含的攻击向量 . 注册表安全配置基线标定 1. Windows注册表 注册表(Registry,繁体中文版Windows称之为登录档 ...

  6. sysctl kernel parameter Optimization note

    syncookies cookies the connection state,when the ack arrives,then deal with the pause connection,ver ...

  7. nginx服务器中的安全配置

    一.关闭SELinux 安全增强型Linux(SELinux)的是一个Linux内核的功能,它提供支持访问控制的安全政策保护机制. 但是,SELinux带来的附加安全性和使用复杂性上不成比例,性价比不 ...

  8. 20步打造最安全的NGINX WEB服务器

    Nginx 是一个轻量级的,高性能的Web服务器以及反向代理和邮箱(IMAP/POP3)代理服务器.它运行在UNIX,GNU /linux,BSD 各种版本,Mac OS X,Solaris和Wind ...

  9. Linux System Reinforcement、Intrusion Detection Based On syslog

    目录 .文件系统及访问权限 . Linux Syslog . Linux日志审计 . 帐号安全管理 . 基础物理安全 . 系统编译环境安全 . 系统病毒.后门.rootkit安全 . 系统端口.服务安 ...

随机推荐

  1. iOS UIView 快速修改 frame,

    在iOS开发布局修改 frame 时需要繁琐的代码实现,今天偶尔看到一播客说到快速修改的 frame 的方法,自己动手写了一遍实现代码. 快速实现主要通过 添加类目的方式,对UIView 控件添加了一 ...

  2. InstallShield : 如何查找编译后的 Merge Module存放路径

    工程菜单栏中依次选择  Tools ---> Options… ,选择 Merge Modules tab 页,如下,就会看到Merge Module的存放路径,也可以根据需求修改. Merge ...

  3. (转)使用inotify、inotify_add_watch、inotify_rm_watch、read编写监控程序

    转自:http://blog.csdn.net/myarrow/article/details/7096460 inotify是什么 inotify是文件系统变化通知机制,在监听到文件系统变化后,会向 ...

  4. OpenJudge/Poj 2105 IP Address

    1.链接地址: http://poj.org/problem?id=2105 http://bailian.openjudge.cn/practice/2105 2.题目: IP Address Ti ...

  5. 简单模拟struts2核心控制器利用反射原理实现参数传递和物理视图跳转

    在能够运用struts2框架进行简单网站开发后,对struts2的一些较原框架强大的功能希望有更深刻的理解,于是尝试从底层开始摸索,本文就在重新学习struts2后,利用简单代码对核心控制器的主要功能 ...

  6. Linux C 程序 两变量值交换(FIVE)

    example:1.运算符: #include<stdio.h> int main(){ int a , b , c ,d ; a = ; b = a++;//先赋值给b,a再自增 c = ...

  7. Web前端新人笔记之jquery入门

    本章将为大家介绍以下几点内容: 1.jquery的主要特点: 2.建立jquery的编码环境: 3.简单jquery脚本示例: 4.选择jquery而不是纯javaScript的理由: 5.常用的jq ...

  8. 相册弹窗(基于zepto.js)

    //放大图片 $(page).on('click','.popupImage img',function () { var that = $(this); that.popupImage({ this ...

  9. openwrt虚拟机的network unreachable

    之前在hyper-v中装了openwrt的ATTITUDE ADJUSTMENT (12.09, r36088)这个最新版本 我之前的文章有提到怎么安装 link 但是发现用opkg update不能 ...

  10. javascript 上传 预览图片 兼容 谷歌 ie

    最近的项目要用到这块,但是在网上找了很多资料,很多都是假的,都不行,最后终于找到一个,还是可以兼容主流的,特分享给大家,可以用 <!DOCTYPE html PUBLIC "-//W3 ...