Linux - martian source in /var/log/messages

Question

I keep getting these messages in /var/log/messages :

Mar  8 23:17:25 saas1 kernel: martian source 169.254.1.1 from 169.254.95.118, on dev usb0
Mar  8 23:17:25 saas1 kernel: ll header: ff:ff:ff:ff:ff:ff:00:21:5e:de:1b:be:08:06

Over and over every 5 seconds there's another report exactly the same way.

I did a whois on 169.254.95.118 and get a strange message back also:

http://whois.arin.net/rest/nets;q=169.254.95.118?showDetails=true&showARIN=false

This is the "link local" block. It was set
aside for this special use in the Standards 
Track document, RFC 3927 and was further
documented in the Best Current Practice
RFC 5735, which can be found at:
http://www.rfc-editor.org/rfc/rfc3927.txt
http://www.rfc-editor.org/rfc/rfc5735.txt
It is allocated for communication between hosts 
on a single link. Hosts obtain these addresses 
by auto-configuration, such as when a DHCP 
server cannot be found.
A router MUST NOT forward a packet with an IPv4 
Link-Local source or destination address, 
irrespective of the router's default route configuration 
or routes obtained from dynamic routing protocols. 
A router which receives a packet with an IPv4 
Link-Local source or destination address MUST NOT 
forward the packet. This prevents forwarding of 
packets back onto the network segment from which 
they originated, or to any other segment.

voted to close as it's unclear what you're asking. Also site has lots of Q&A about "martians" — poige, Jan 16 '19 at 11:10

score 9 · Answer 1 · answered Mar 08 '11 at 12:39

9

If a host on a network cannot obtain a network address via DHCP, an address from 169.254.1.0 to 169.254.254.255 may be assigned pseudorandomly. So it's an interface without connection to the internet. That is what ARIN is telling you. If someone tries to send something to this address, it is called a martian packet.

What is plugged into usb0?

answered Mar 08 '11 at 12:39

Bart De Vos

17,761
6
62
81

I don't know what's plugged into USB0, it's on an offsite server. I might have to ask them what's going on with it. This was put together before I started working in my job but the guys there don't think that they were using a USB ethernet port. I might get one of the offsite guys to tell me what's physically plugged in. I can't figure it out with dmesg/lspci/lshw – edumike Mar 09 '11 at 22:20

score 5 · Answer 2 · answered Mar 08 '11 at 12:44

5

You don't tell us what the IP address of USB0 is but I guess it's not in the link local subnet so packets arriving at usb0 from link local will be 'martian'. This is a widely quoted explantion

These are packets that Linux does not expect from the direction they came from (i.e. packets from internal hosts coming in on the external interface). The cause is probably a misconfigured machine on your LAN. You can turn off logging those packets via /proc/sys/net/ipv4/conf/interface/log_martians which is documented in /usr/src/linux/Documentation/proc.txt

answered Mar 08 '11 at 12:44

user9517

114,104
20
206
289

So there's nothing else going wrong here? I'd rather I didn't get them at all be to honest, though I don't know what's causing them. – edumike Mar 09 '11 at 22:16
@edumike: There is likely something misconfigured on your network as it is sending packets to your machine when it shouldn't. You can try and track that machine down and fix it's configuration or you can just turn off logging as per [pepoluan's](http://serverfault.com/questions/244648/linux-martian-source-in-var-log-messages/244650#244650) answer. – user9517 Mar 09 '11 at 22:22

score 4 · Answer 3 · answered Mar 08 '11 at 12:44

4

Wikipedia: http://en.wikipedia.org/wiki/APIPA

You can turn off martian logging if you want:

echo 0 > /proc/sys/net/ipv4/conf/{all,default}/log_martians

answered Mar 08 '11 at 12:44

pepoluan

4,918
3
43
71

This did not work for me. – Brian Minton Feb 22 '17 at 19:26
@BrianMinton this only disables kernel's logging. if your `iptables` rules have explicit Martian logging, then you need to remove those, too. – pepoluan Feb 24 '17 at 10:00
No, I don't have any iptables rules at all. – Brian Minton Aug 27 '17 at 00:30

score 1 · Answer 4 · answered Jan 07 '13 at 22:54

I really would not turn off logging the martians: they typically are logged on production machines and this to protect against an aggression.

One hit every few seconds is probably a misconfigured machine, but on the day your server is attacked, you would have valuable info in the logs.

Best bet is, keep logging and look for a misconfigured machine if it is not too many machines to look at --it is likely to be a machine near.

score 1 · Answer 5 · answered Jan 16 '19 at 08:45

It's not advised to stop logging martians. However, If you need to stop amend with kernel parameters as follows.

Edit sysctl and add change 1 to 0 and make sure to replace "ens192 and ens224" with your interface name. This will stop logging martians.

# vi /etc/sysctl.d/99-sysctl.conf

Change as shown below.

net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.ens192.log_martians = 0
net.ipv4.conf.ens224.log_martians = 0

Apply it by running

# sysctl -p /etc/sysctl.d/99-sysctl.conf

Hope this will help for someone.

Linux - martian source in /var/log/messages

5 Answers5