Thread: mystery martian source from 127.0.0.1
View Single Post

  #21 (permalink)  
Old 12-11-2005
Moe Trin
 
Posts: n/a
Default Re: Reply to all posters: mystery martian source from 127.0.0.1
On Sat, 10 Dec 2005, in the Usenet newsgroup comp.os.linux.security, in article
<dnf293$jn4$1@news.hispeed.ch>, EricT wrote:

>I figured out, which system is responsible for these martian packets.

I don't think so, unless the Modem is behaving as a transparent bridge.
That's not impossible, but it's also not likely.

>I listened to the traffic of the cablecom net and this particular
>gateway is routing or forwarding or sending broadcasts (67 -> 68),
>which my firewall dropped without logging. Now after monitoring all
>the traffic, i have seen the MAC (and ip) in any packet of this type.

Here's how to tell if your modem is a bridge or not. While you are
looking at the traffic, do you see any OTHER MAC addresses - or is all
of the traffic using that same 00:09:7b:8d:98:70. Obviously, we don't
count your own MAC address in this mess - but what about all others?

>a traceroute to that ip will show this:
>traceroute to 80.219.88.1 (80.219.88.1), 30 hops max, 40 byte packets
> 1 * * *

[...]

>30 * * *

All that is saying is that there is a nearby host that is dropping
ICMP error messages, or that 80.219.88.1 has a firewall rule to "DROP"
rather than "REJECT" or none at all.

>After calling the ISP, they do not seem to be very interested in this
>matter.

You got to talk to someone who can spell "IP" ??? Wow - that doesn't
happen to often. ;-)

>I still do not know what (in detail) causes the martian packets, but i
>know where they come from and actually it is not my business anymore ;-).

You could set your own firewall to ignore packets with a source of
127.0.0.0/8 on the eth0 interface. RFC2827 (and RFC3704) recommend such
filtering.

2827 Network Ingress Filtering: Defeating Denial of Service Attacks
which employ IP Source Address Spoofing. P. Ferguson, D. Senie.
May 2000. (Format: TXT=21258 bytes) (Obsoletes RFC2267) (Updated
by RFC3704) (Also BCP0038) (Status: BEST CURRENT PRACTICE)

3704 Ingress Filtering for Multihomed Networks. F. Baker, P. Savola.
March 2004. (Format: TXT=35942 bytes) (Updates RFC2827) (Also
BCP0084) (Status: BEST CURRENT PRACTICE)

Normally, your ISP should be doing this - looks as if they are falling
down on the concept.

Old guy
Reply With Quote