Linux: Log Suspicious Martian Packets / Un-routable Source Addresses

Author: Vivek Gite Last updated: July 11, 2018 4 comments

I run a web-server, and I would like to log packets with un-routable source addresses on Linux operating system. How can I log spoofed packets on a Debian, Ubuntu, CentOS/RHEL or any Linux based server? How can I log a Martian packet (packet from Mars) on Linux operating systems?

Introduction: A Martian packet is nothing but an IP packet which specifies a source or destination address that is reserved for special-use by Internet Assigned Numbers Authority (IANA). Here are examples of such address blocks:[donotprint]

Tutorial details
Difficulty	Advanced (rss)
Root privileges	Yes
Requirements	None
Time	15m

[/donotprint]

10.0.0.0/8
100.64.0.0/10
172.16.0.0/12
192.0.0.0/24
192.168.0.0/16
127.0.0.0/8
224.0.0.0/4
240.0.0.0/4
::/128
::/96
::1/128

See “Reserved IP addresses” for more info.

Linux: Log Suspicious Martian Packets

On the public Internet, such a packet’s (Martian) source address is either spoofed, and it cannot originate as claimed, or the packet cannot be delivered. Both IPv4 and IPv6, martian packets have a source or destination addresses within special-use ranges as per RFC 6890.

What is the usefulness of logging of martians packets

As I said earlier a martian packet is a packet with a source address that cannot be routed over the public Internet. Such a packet is waste of resources on your server. Often martian and unroutable packet used for a dangerous purpose or DoS/DDOS your server. So you must drop bad martian packet earlier and log into your server for further inspection.

How can I log Martian packets on Linux?

You need to use sysctl command command to view or set Linux kernel variables that can logs packets with un-routable source addresses to the kernel log file such as /var/log/messages.

See current settings

Type the following sysctl command with sudo command or run it as root user:
# sysctl -a| grep martians $ sudo sysctl -a| grep martians
Sample outputs:

Fig. 01: Find out if suspicious packets are logged or not on Linux

Value 0 indicates that the suspicious martian packets are not logged on the system.

How do I log suspicious martian packets on Linux?

You need to set the following variables to 1 in /etc/sysctl.conf file:

net.ipv4.conf.all.log_martians
net.ipv4.conf.default.log_martians

Edit file /etc/sysctl.conf, enter:
# vi /etc/sysctl.conf
Append/edit as follows:

net.ipv4.conf.all.log_martians=1 
net.ipv4.conf.default.log_martians=1

Save and close the file. To load changes, type:
# sysctl -p

How can I modify active kernel parameters on command line?

Alternatively, you can toggle active kernel parameters using the following bash for loop syntax:

## Grab all Linux kernel vars in $x ##
x=$(sysctl -a| grep martians | awk '{ print $1}')
## Just display it on screen ##
echo "$x"
 
## Alright, toggle all vars to 1 or 0 as per your requirements ##
for i in $x
do
   /sbin/sysctl -w ${i}=1
done
 
## Verify settings ##
sysctl -a| grep martians

Sample outputs:

Fig.02: Bash for loop to log suspicious packets

How can I see logged suspicious martian packets logs on Linux?

Use the grep command as follows:

cd /var/log
grep -i --color martian messages*

Sample outputs:

messages-20120101:Dec 31 09:25:45 nixcraft-router kernel: martian source 74.xx.47.yy from 10.13.106.25, on dev eth1
messages-20120101:Dec 31 09:25:53 nixcraft-router kernel: martian source 74.xx.47.yy from 10.13.106.25, on dev eth1
messages-20120101:Dec 31 09:26:10 nixcraft-router kernel: martian source 74.xx.47.yy from 10.13.106.25, on dev eth1
messages-20120101:Dec 31 14:04:12 nixcraft-router kernel: martian source 74.xx.47.yy from 10.1.97.141, on dev eth1
messages-20120101:Dec 31 14:04:14 nixcraft-router kernel: martian source 74.xx.47.yy from 10.1.97.141, on dev eth1
messages-20120101:Dec 31 14:04:18 nixcraft-router kernel: martian source 74.xx.47.yy from 10.1.97.141, on dev eth1
messages-20120101:Dec 31 14:04:22 nixcraft-router kernel: martian source 74.xx.47.yy from 10.1.97.141, on dev eth1
messages-20120101:Dec 31 14:04:26 nixcraft-router kernel: martian source 74.xx.47.yy from 10.1.97.141, on dev eth1
messages-20120101:Dec 31 14:04:34 nixcraft-router kernel: martian source 74.xx.47.yy from 10.1.97.141, on dev eth1
messages-20120101:Dec 31 14:04:50 nixcraft-router kernel: martian source 74.xx.47.yy from 10.1.97.141, on dev eth1
messages-20120101:Jan  1 00:01:59 nixcraft-router kernel: martian source 74.xx.47.yy from 10.13.105.141, on dev eth1
messages-20120101:Jan  1 00:02:00 nixcraft-router kernel: martian source 74.xx.47.yy from 10.13.105.141, on dev eth1
messages-20120101:Jan  1 00:02:02 nixcraft-router kernel: martian source 74.xx.47.yy from 10.13.105.141, on dev eth1
messages-20120101:Jan  1 00:02:06 nixcraft-router kernel: martian source 74.xx.47.yy from 10.13.105.141, on dev eth1
messages-20120101:Jan  1 00:02:10 nixcraft-router kernel: martian source 74.xx.47.yy from 10.13.105.141, on dev eth1
messages-20120101:Jan  1 00:02:14 nixcraft-router kernel: martian source 74.xx.47.yy from 10.13.105.141, on dev eth1
messages-20120101:Jan  1 00:02:22 nixcraft-router kernel: martian source 74.xx.47.yy from 10.13.105.141, on dev eth1
messages-20120101:Jan  1 00:02:38 nixcraft-router kernel: martian source 74.xx.47.yy from 10.13.105.141, on dev eth1

How do I block martian packets using firewall?

See how to use iptables to block spoofing and bad address attack that tries to fool the server and try to claim that packets had come from local address/network.

Log and drop packets with suspicious source addresses

## eth1 is wan port on server ##
/sbin/iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF A: "
/sbin/iptables -A INPUT -i eth1 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: "
/sbin/iptables -A INPUT -i eth1 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: "
/sbin/iptables -A INPUT -i eth1 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: "
/sbin/iptables -A INPUT -i eth1 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: "
/sbin/iptables -A INPUT -i eth1 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: "
 
/sbin/iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -i eth1 -s 172.16.0.0/12 -j DROP
/sbin/iptables -A INPUT -i eth1 -s 192.168.0.0/16 -j DROP
/sbin/iptables -A INPUT -i eth1 -s 224.0.0.0/4 -j DROP
/sbin/iptables -A INPUT -i eth1 -s 240.0.0.0/5 -j DROP
/sbin/iptables -A INPUT -i eth1 -d 127.0.0.0/8 -j DROP
 
/sbin/iptables-save > /root/my-iptables.rules

Conclusion

You just learned how to block and log suspicious martian packets on Linux operating systems. For more info see the following pages:

Linux Kernel /etc/sysctl.conf Security Hardening
martian – A packet sent on a TCP/IP network with a source address of the test loopback interface [127.0.0.1]. This means that it will come back labeled with a source address that is clearly not of this earth. “The domain server is getting lots of packets from Mars. Does that gateway have a martian filter?”

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 4 comments so far... add one ↓

Related Tutorials

Category	List of Unix and Linux commands
File Management	cat
Firewall	Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04
Network Utilities	dig • host • ip • nmap
OpenVPN	CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04
Package Manager	apk • apt
Processes Management	bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time
Searching	grep • whereis • which
User Information	groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w
WireGuard VPN	Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04

4 comments… add one

Sri Feb 19, 2014 @ 13:51
Do you really need to use grep?
```
x=$(sysctl -a| grep martians | awk '{ print $1}')
```
Set good example and not bad one:
```
x="$(sysctl -a| awk '/martians/{ print $1}')"
```
Reply Link
Revil Feb 20, 2014 @ 1:39

There will be error output on my Ubuntu-12.04 machines. I would recommend suppressing them:

x=”$(sysctl -a 2>/dev/null | awk ‘/martians/{ print $1}’)”

Reply Link
Darren Mar 25, 2015 @ 18:55

A martian packet can also be if there’s another system on the network with your IPv4 or IPv6 address.

For example, I sometime see the following on my Linux keepalived active node, which is actually packets from my standby node which shares a failover VIP when the primary is down:
martian source 123.45.67.89 from 123.45.67.89, on dev eth0
ll header: ff:ff:ff:ff:ff:ff:ab:cd:ef:01:23:45:08:06
ICMPv6 NA: someone advertises our address 2001:1234:5678:0001:0000:0000:0000:0020 on eth0!
martian source 123.45.67.89 from 123.45.67.89, on dev eth0
ll header: ff:ff:ff:ff:ff:ff:ab:cd:ef:01:23:45:08:06
ICMPv6 NA: someone advertises our address 2001:1234:5678:0001:0000:0000:0000:0020 on eth0!
ICMPv6 NA: someone advertises our address 2001:1234:5678:0001:0000:0000:0000:0020 on eth0!
ICMPv6 NA: someone advertises our address 2001:1234:5678:0001:0000:0000:0000:0020 on eth0!
ICMPv6 NA: someone advertises our address 2001:1234:5678:0001:0000:0000:0000:0020 on eth0!
martian source 123.45.67.89 from 123.45.67.89, on dev eth0
ll header: ff:ff:ff:ff:ff:ff:ab:cd:ef:01:23:45:08:06
martian source 123.45.67.89 from 123.45.67.89, on dev eth0
ll header: ff:ff:ff:ff:ff:ff:ab:cd:ef:01:23:45:08:06
martian source 123.45.67.89 from 123.45.67.89, on dev eth0
ll header: ff:ff:ff:ff:ff:ff:ab:cd:ef:01:23:45:08:06

The “ll header” contains “ff:ff:ff:ff:ff:ff:” which means broadcast, “ab:cd:ef:01:23:45” which is the mac address of my standby node, and “08:06”, which means ARP request.
I “assume” this is ok, as I haven’t seen any issues.
If I didn’t know the MAC then I’d be worried.

Reply Link
ThorstenS Feb 16, 2016 @ 10:48

1liner:
sudo sysctl -a 2>/dev/null | awk '/martians/ && $3~"0"{print "sudo /sbin/sysctl -w "$1"=1"}' | sh

Reply Link

Use HTML <pre>...</pre> for code samples. Problem posting comment? Email me @ webmaster@cyberciti.biz