Home / server / Questions / 244648
In Process
edumike
Asked: 2011-03-09 04:32:50 +0800 CST

Linux - martian source in /var/log/messages

  • 772

I keep getting these messages in /var/log/messages :

Mar  8 23:17:25 saas1 kernel: martian source 169.254.1.1 from 169.254.95.118, on dev usb0
Mar  8 23:17:25 saas1 kernel: ll header: ff:ff:ff:ff:ff:ff:00:21:5e:de:1b:be:08:06

Over and over every 5 seconds there's another report exactly the same way.

I did a whois on 169.254.95.118 and get a strange message back also:

http://whois.arin.net/rest/nets;q=169.254.95.118?showDetails=true&showARIN=false

This is the "link local" block. It was set
aside for this special use in the Standards 
Track document, RFC 3927 and was further
documented in the Best Current Practice
RFC 5735, which can be found at:
http://www.rfc-editor.org/rfc/rfc3927.txt
http://www.rfc-editor.org/rfc/rfc5735.txt
It is allocated for communication between hosts 
on a single link. Hosts obtain these addresses 
by auto-configuration, such as when a DHCP 
server cannot be found.
A router MUST NOT forward a packet with an IPv4 
Link-Local source or destination address, 
irrespective of the router's default route configuration 
or routes obtained from dynamic routing protocols. 
A router which receives a packet with an IPv4 
Link-Local source or destination address MUST NOT 
forward the packet. This prevents forwarding of 
packets back onto the network segment from which 
they originated, or to any other segment.
linux networking log-files dmesg

5 Answers

  1. If a host on a network cannot obtain a network address via DHCP, an address from 169.254.1.0 to 169.254.254.255 may be assigned pseudorandomly. So it's an interface without connection to the internet. That is what ARIN is telling you. If someone tries to send something to this address, it is called a martian packet.

    What is plugged into usb0?

    • 9

  2. You don't tell us what the IP address of USB0 is but I guess it's not in the link local subnet so packets arriving at usb0 from link local will be 'martian'. This is a widely quoted explantion

    These are packets that Linux does not expect from the direction they came from (i.e. packets from internal hosts coming in on the external interface). The cause is probably a misconfigured machine on your LAN. You can turn off logging those packets via /proc/sys/net/ipv4/conf/interface/log_martians which is documented in /usr/src/linux/Documentation/proc.txt

    • 5

  3. Wikipedia: http://en.wikipedia.org/wiki/APIPA

    You can turn off martian logging if you want:

    echo 0 > /proc/sys/net/ipv4/conf/{all,default}/log_martians
    • 4

  4. I really would not turn off logging the martians: they typically are logged on production machines and this to protect against an aggression.

    One hit every few seconds is probably a misconfigured machine, but on the day your server is attacked, you would have valuable info in the logs.

    Best bet is, keep logging and look for a misconfigured machine if it is not too many machines to look at --it is likely to be a machine near.

    • 1

  5. It's not advised to stop logging martians. However, If you need to stop amend with kernel parameters as follows.

    Edit sysctl and add change 1 to 0 and make sure to replace "ens192 and ens224" with your interface name. This will stop logging martians.

    # vi /etc/sysctl.d/99-sysctl.conf

    Change as shown below.

    net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.ens192.log_martians = 0
net.ipv4.conf.ens224.log_martians = 0

    Apply it by running

    # sysctl -p /etc/sysctl.d/99-sysctl.conf

    Hope this will help for someone.

    • 1