Re: martian source: any IP gurus?
From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 01/17/05
- Next message: houghi: "Re: OSS and spyware"
- Previous message: Moe Trin: "Re: /dev/null"
- In reply to: nosy: "martian source: any IP gurus?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Mon, 17 Jan 2005 16:25:05 -0600
In article <pan.2005.01.17.06.07.03.512873@remove.this.myway.com>, nosy wrote:
>I keep getting messages like
>(...) kernel: martian source 169.254.114.246 from 169.254.114.246,
>on dev eth1
So, what's on eth1? I suspect this is your local LAN, and you have some
windoze boxes on it. You could run 'tcpdump' on this interface (see the
man page), and look for these martian packets. Note the _hardware_
address, and then look for the same hardware address on the hosts on your
LAN. The address may not show up immediately, as the spec for this service
changed in 2003 and now says the same interface should not have a 169.254/16
address and any other at the same time. Those packets should have a TTL of 1,
and should not be forwarded by any router. Router software since 2002 should
be set to silently drop packets in this address range anyway.
>If I look up the IP address range, I get:
>OrgName: Internet Assigned Numbers Authority
3330 Special-Use IPv4 Addresses. IANA. September 2002. (Format:
TXT=16200 bytes) (Status: INFORMATIONAL)
http://www.ietf.org/rfc/rfc3330.txt
http://www.faqs.org/rfcs/rfc3330.html
http://www.rfc-editor.org/rfc/rfc3330.txt
http://www.ccd.bnl.gov/network/general/rfc3330.html
http://www.cis.ohio-state.edu/htbin/rfc/rfc3330.html
Second paragraph (top of 'page 2')
169.254.0.0/16 - This is the "link local" block. It is allocated for
communication between hosts on a single link. Hosts obtain these
addresses by auto-configuration, such as when a DHCP server may not
be found.
http://www.ietf.org/internet-drafts/draft-ietf-zeroconf-ipv4-linklocal-17.txt
still works, although this version of the draft expired 2 Jan 2005. This
"service" is designed for salesweasels and marketdroids who happen to meet
in airport waiting areas, so they can connect their lapdogs with a cross
over cable and trade pr0n and viruses. This "feature" was added to win98 and
MacOS 8.5, and microsoft has been trying to get it standardized since late
1998. They've gone through 17 revisions, and the internet community still
hasn't adopted it. It's also useful when the Minesweeper Consultant Solitaire
Expert 0rks up the configuration of the domain controller or DHCP server so
bad that even windoze boxes can't get a DHCP lease.
>the machine works as an internet gateway with squid running. I am not
>aware of any misconfiguration. AFAIK,
Somebody couldn't find the DHCP server, and pulled an address out of their
a$$. Could you have a visitor on your LAN? Or one of your users playing?
>martian source means it comes from a malconfigured device.
See the Jargon file (www.ccil.org/jargon) or (www.catb.org/jargon) or
(info.astrian.net/jargon/). Basically, it means a packet that arrived on
an interface that it should not have - originally, a packet from 127.0.0.1
arriving on something OTHER THAN the loopback.
Old guy
- Next message: houghi: "Re: OSS and spyware"
- Previous message: Moe Trin: "Re: /dev/null"
- In reply to: nosy: "martian source: any IP gurus?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
