Re: attack of the marsians
On Tue, 11 Jun 2002, Proud Debian-User wrote:
> Jun 11 19:01:14 abyss kernel: martian source 10.10.151.255 from
> 10.10.151.43, on dev eth0
> Jun 11 19:03:19 abyss kernel: martian source 10.10.150.1 from 10.10.151.43,
> on dev eth0
>
> in the last 5 days these logging messages increases.
> Normally i ignore them, but now there are 7 machines in my net with these
> packets.
> I'm wondering if this is a sign for a trojan or virus.
RFC 1812 (following RFC 1716) defines a "martian" packet as a packet which
contains an invalid source or destination address. For source addresses,
this means:
An IP source address is invalid if it is a special IP address, as
defined in 4.2.2.11 or 5.3.7, or is not a unicast address.
For example, 127.0.0.1 is the loopback address, so you should never get a
packet addressed to 127.0.0.1 turning up at the router. If you do,
something's messed up.
10.10.151.255 is an invalid source address if your computer considers
10.10.151.0/24 to be the local network, since the host part is 255, which
means "broadcast"; obviously that can't be a source address. I'm not sure
how 10.10.150.1 can be considered invalid, though.
T
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: