Search This Blog

2014-03-22

What the Heck is a Martian Address?

In a basic sense martian addresses are addresses that the network interfaces on your box are not intended to see. They are generally the "special use" addresses defined by IANA, wikipedia provides a pretty comprehensive list http://en.wikipedia.org/wiki/Martian_packet

I had never run into this issue before but recently there were some difficulties accessing and providing services on one of our IPs. I tried logging into this server and noticed that it was taking forever to get logged in, strange, maybe the box is overloaded? But no, after checking all performance statistics I could think of there was nothing. I was stumped and figured it had to be something network-related so I started by pinging the device and I was able to ping it no problem, routing, that was fine too. So I went looking up logs. Starting with /var/log/messages I immediately noticed the culprit.

Mar 21 22:54:32 [hostname] kernel: [2271940.733176] ll header: ff:ff:ff:ff:ff:ff:00:02:99:0f:d4:2a:08:00
Mar 21 22:55:03 [hostname] kernel: [2271971.764263] martian source 255.255.255.255 from 10.128.0.237, on dev eth1
Mar 21 22:55:03 [hostname] kernel: [2271971.764268] ll header: ff:ff:ff:ff:ff:ff:00:02:99:0f:d4:2a:08:00
Mar 21 22:55:34 [hostname] kernel: [2272003.164375] martian source 255.255.255.255 from 10.128.0.237, on dev eth1
Mar 21 22:55:34 [hostname] kernel: [2272003.164380] ll header: ff:ff:ff:ff:ff:ff:00:02:99:0f:d4:2a:08:00

I eventually got the mac tracked down to a specific switchport. I disabled the switchport and the messages went away. Very strange.

Later it was found out that the device on that particular switchport was given a duplicate IP to the server that I was using. That's why I was seeing broadcasts that seemed like they were from myself and broadcasts that also seemed to come from my own address.

Resources:
https://www.gc3.uzh.ch/blog/Martian_source_messages_and_the_default_route/
https://systemoverlord.com/blog/2011/11/05/martian-packet-messages/
http://www.cyberciti.biz/faq/linux-log-suspicious-martian-packets-un-routable-source-addresses/

No comments:

Post a Comment