原文地址:http://blog.chinaunix.net/space.php?uid=346158&do=blog&id=2131002 

martian source packets(ll header) (2009-05-20 17:05)

分类:  Linux_Security


使用dmesg或者查看/var/log/messages日志中有大量的如下log:
 

martian source 222.73.xxx.255 from 222.73.xxx.173, on dev eth1
ll header: ff:ff:ff:ff:ff:ff:00:15:17:13:33:66:08:00
martian source 222.73.xxx.255 from 222.73.xxx.173, on dev eth1
ll header: ff:ff:ff:ff:ff:ff:00:15:17:13:33:66:08:00
martian source 222.73.xxx.255 from 222.73.xxx.173, on dev eth1
ll header: ff:ff:ff:ff:ff:ff:00:15:17:13:33:66:08:00
martian source 222.73.xxx.255 from 222.73.xxx.176, on dev eth1
ll header: ff:ff:ff:ff:ff:ff:00:1d:7d:3b:f4:77:08:00
martian source 222.73.xxx.255 from 222.73.xxx.221, on dev eth1
ll header: ff:ff:ff:ff:ff:ff:00:90:0b:0e:b8:f2:08:00
martian source 222.73.xxx.255 from 222.73.xxx.174, on dev eth1
ll header: ff:ff:ff:ff:ff:ff:00:15:17:60:33:24:08:00
martian source 222.73.xxx.255 from 222.73.xxx.165, on dev eth1
ll header: ff:ff:ff:ff:ff:ff:00:1e:8c:c2:49:0a:08:00
martian source 192.168.1.255 from 192.168.1.165, on dev eth0
ll header: ff:ff:ff:ff:ff:ff:00:1e:8c:c2:49:0b:08:00
martian source 192.168.1.255 from 192.168.1.165, on dev eth0
ll header: ff:ff:ff:ff:ff:ff:00:1e:8c:c2:49:0b:08:00
martian source 192.168.1.255 from 192.168.1.165, on dev eth0


 

A martian data packet is a network data packet that has an impossible source or destination IP, such as a packet that claims to have come from the broadcast address, 255.255.255.255. Another example of a martian packet would be if you received a packet from 192.168.0.1 through your networks external gateway. 

IPs in the range of 192.168.* are not routable through gateways, so this situation should never happen. Usually martians are just the result of network misconfigurations or glitches of some sort, but they can be caused by deliberate mangling of the IP packet, such as when trying to hide the real origin of the packets during an attack against a server. If you see just a few martian packet messages then there probably isn’t anything to worry about, but if you see lots of them then take a closer look.

Recent kernels print out the link level header of the packet along with the martian warning, and the header contains the destination and source MAC addresses. In the example below the destination MAC (for the server “aries”) is 00:01:80:23:96:54, and the source MAC (the sender of the martian) is 00:e0:52:14:4d:9d. The “08:00″ at the end just indicates that this header is from an ipv4 over ethernet packet.

Apr 29 09:33:54 aries kernel: martian source 207.44.228.62 from 80.3.32.5, on dev eth0 
Apr 29 09:33:42 aries kernel: ll header: 00:01:80:23:96:54:00:e0:52:14:4d:9d:08:00

If you do see lots of martians being logged, or have some other reason to suspect that the server is being attacked, a good place to look is in the Apache error log file. You may be able to find log entries for the martian IP addresses that record attack attempts. For example, here is an error_log entry recording an attack attempt against the same server that logged the martian shown above.

 

[Mon Apr 28 20:26:18 2003] [error] [client 80.3.32.5] request failed: erroneous 
characters after protocol string: GET /p_w_picpaths/Smilies%20gold%2018×18/shocked.gif 
(.x81cxf3×8axffxffxfdb4xd6a2×1171x94xd7xffxfbx92lxffx8dxe2×05 
x18Gvx8caP;”xxe1qx8cx1ax078Kx1cx0exb1×87

 

So don’t worry too much about the martians, but be on guard lest they actually invade.


其实就是IP spoofing(IP欺骗),意思很明显了,就是:
1. 从外网来的源地址如果是内网地址(192.168.×.*,172.16.*,10.*)则是IP欺骗;
2. 从内网来的源地址如果是公网地址那也是IP欺骗

之所以会有记录这样的日志,是因为我开启了IP spoofing protection。在/etc/sysctl.conf中增加如下:
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.eth0.arp_filter = 1
#default 0
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.lo.arp_filter = 1
#default 0
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.default.arp_filter = 1
#default 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.arp_filter = 1
#default 0
net.ipv4.conf.all.rp_filter = 1
#default 0

dmesg命令详解

   功能说明:显示开机信息。
语  法:dmesg [-cn][-s <缓冲区大小>]

补充说明:kernel会将开机信息存储 在ring buffer中。您若是开机时来不及查看信息,可利用dmesg来查看。开机信息亦保存在/var/log目录中,名称为dmesg的文件里。

参  数:
-c  显示信息后,清除ring buffer中的内容。 
-s<缓冲区大小>  预设置为8196,刚好等于ring buffer的大小。 
-n  设置记录信息的层级。