Linux: Log Suspicious Martian Packets / Un-routable Source Addresses

I

run a web-server and I would like to log packets with un-routable source addresses on Linux operating system. How can I log spoofed packets on Debian / Ubuntu / CentOS / RHEL / Linux based server? How can I log a Martian packet (packet from Mars) on Linux operating systems?

 

A Martian packet is nothing but an IP packet which specifies a source or destination address that is reserved for special-use by Internet Assigned Numbers Authority (IANA). Here are examples of such address blocks:

10.0.0.0/8

127.0.0.0/8

224.0.0.0/4

240.0.0.0/4

::/128

::/96

::1/128

How can I log Martian packets on Linux?

You need to use sysctl command command to view or set Linux kernel variables that can logs packets with un-routable source addresses to the kernel log file such as /var/log/messages.

See current settings

Type the following command:

# sysctl -a| grep martians

 

Sample outputs:

Fig. 01: Find out if suspicious packets are logged or not on Linux

Value 0 indicates that the suspicious martian packets are not logged on the system.

How do I log suspicious martian packets on Linux?

You need to set the following variables to 1 in /etc/sysctl.conf file:

net.ipv4.conf.all.log_martians

net.ipv4.conf.default.log_martians

Edit file /etc/sysctl.conf, enter:

# vi /etc/sysctl.conf

 

Append/edit as follows:

net.ipv4.conf.all.log_martians=1

net.ipv4.conf.default.log_martians=1

Save and close the file. To load changes, type:

# sysctl -p

How can I modify active kernel parameters on command line?

Alternatively, you can toggle active kernel parameters using the following bash for loop syntax:

Grab all Linux kernel vars in $x ##

x=$(sysctl -a| grep martians | awk  { print $1} )

Just display it on screen ##

echo  $x

 

Alright, toggle all vars to 1 or 0 as per your requirements ##

for i in $x

do

/sbin/sysctl -w ${i}=1

done

 

Verify settings ##

sysctl -a| grep martians

Sample outputs:

Fig.02: Bash for loop to log suspicious packets

How can I see logged suspicious martian packets logs on Linux?

Use the grep command as follows:

cd /var/log

grep -i –color martian messages*

Sample outputs:

messages-20120101:Dec 31 09:25:45 nixcraft-router kernel: martian source 74.xx.47.yy from 10.13.106.25, on dev eth1

messages-20120101:Dec 31 09:25:53 nixcraft-router kernel: martian source 74.xx.47.yy from 10.13.106.25, on dev eth1

messages-20120101:Dec 31 09:26:10 nixcraft-router kernel: martian source 74.xx.47.yy from 10.13.106.25, on dev eth1

messages-20120101:Dec 31 14:04:12 nixcraft-router kernel: martian source 74.xx.47.yy from 10.1.97.141, on dev eth1

messages-20120101:Dec 31 14:04:14 nixcraft-router kernel: martian source 74.xx.47.yy from 10.1.97.141, on dev eth1

messages-20120101:Dec 31 14:04:18 nixcraft-router kernel: martian source 74.xx.47.yy from 10.1.97.141, on dev eth1

messages-20120101:Dec 31 14:04:22 nixcraft-router kernel: martian source 74.xx.47.yy from 10.1.97.141, on dev eth1

messages-20120101:Dec 31 14:04:26 nixcraft-router kernel: martian source 74.xx.47.yy from 10.1.97.141, on dev eth1

messages-20120101:Dec 31 14:04:34 nixcraft-router kernel: martian source 74.xx.47.yy from 10.1.97.141, on dev eth1

messages-20120101:Dec 31 14:04:50 nixcraft-router kernel: martian source 74.xx.47.yy from 10.1.97.141, on dev eth1

messages-20120101:Jan  1 00:01:59 nixcraft-router kernel: martian source 74.xx.47.yy from 10.13.105.141, on dev eth1

messages-20120101:Jan  1 00:02:00 nixcraft-router kernel: martian source 74.xx.47.yy from 10.13.105.141, on dev eth1

messages-20120101:Jan  1 00:02:02 nixcraft-router kernel: martian source 74.xx.47.yy from 10.13.105.141, on dev eth1

messages-20120101:Jan  1 00:02:06 nixcraft-router kernel: martian source 74.xx.47.yy from 10.13.105.141, on dev eth1

messages-20120101:Jan  1 00:02:10 nixcraft-router kernel: martian source 74.xx.47.yy from 10.13.105.141, on dev eth1

messages-20120101:Jan  1 00:02:14 nixcraft-router kernel: martian source 74.xx.47.yy from 10.13.105.141, on dev eth1

messages-20120101:Jan  1 00:02:22 nixcraft-router kernel: martian source 74.xx.47.yy from 10.13.105.141, on dev eth1

messages-20120101:Jan  1 00:02:38 nixcraft-router kernel: martian source 74.xx.47.yy from 10.13.105.141, on dev eth1

How do I block martian packets using firewall?

See how to use iptables to block spoofing and bad address attack that tries to fool the server and try to claim that packets had come from local address/network.

Log and drop packets with suspicious source addresses

eth1 is wan port on server ##

/sbin/iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG –log-prefix  IP DROP SPOOF A:

/sbin/iptables -A INPUT -i eth1 -s 172.16.0.0/12 -j LOG –log-prefix  IP DROP SPOOF B:

/sbin/iptables -A INPUT -i eth1 -s 192.168.0.0/16 -j LOG –log-prefix  IP DROP SPOOF C:

/sbin/iptables -A INPUT -i eth1 -s 224.0.0.0/4 -j LOG –log-prefix  IP DROP MULTICAST D:

/sbin/iptables -A INPUT -i eth1 -s 240.0.0.0/5 -j LOG –log-prefix  IP DROP SPOOF E:

/sbin/iptables -A INPUT -i eth1 -d 127.0.0.0/8 -j LOG –log-prefix  IP DROP LOOPBACK:

 

/sbin/iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

/sbin/iptables -A INPUT -i eth1 -s 172.16.0.0/12 -j DROP

/sbin/iptables -A INPUT -i eth1 -s 192.168.0.0/16 -j DROP

/sbin/iptables -A INPUT -i eth1 -s 224.0.0.0/4 -j DROP

/sbin/iptables -A INPUT -i eth1 -s 240.0.0.0/5 -j DROP

/sbin/iptables -A INPUT -i eth1 -d 127.0.0.0/8 -j DROP

 

/sbin/iptables-save > /root/my-iptables.rules

See also

Linux Kernel /etc/sysctl.conf Security Hardening

martian – A packet sent on a TCP/IP network with a source address of the test loopback interface [127.0.0.1]. This means that it will come back labeled with a source address that is clearly not of this earth. “The domain server is getting lots of packets from Mars. Does that gateway have a martian filter?”

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *