Understanding Martian Packet Logging in Linux: Security Implications and sysctl Configuration


1 views

In Linux networking, "Martian packets" refer to IP packets that appear to originate from or are destined to obviously invalid IP addresses. These include:

0.0.0.0/8          # "This" network
127.0.0.0/8        # Loopback
192.0.2.0/24       # TEST-NET-1
224.0.0.0/4        # Multicast
240.0.0.0/4        # Reserved
169.254.0.0/16     # Link-local

While Martian packets themselves aren't direct attacks, their presence often indicates:

  • Network misconfiguration (accidental or malicious)
  • Potential IP spoofing attempts
  • Malware beaconing to invalid destinations
  • Faulty network hardware generating corrupt packets

To enable logging (typically logged to /var/log/messages or /var/log/syslog):

# Temporary enablement
sudo sysctl -w net.ipv4.conf.all.log_martians=1

# Permanent configuration
echo "net.ipv4.conf.all.log_martians = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Here's how to parse Martian packet logs:

grep "martian source" /var/log/syslog | awk '{print $NF}' | sort | uniq -c | sort -n

Sample output showing spoofed packets from RFC1918 space:

3 192.168.1.1
12 10.0.0.254
47 172.16.45.67

Combine with other network hardening settings:

# Ignore ICMP errors from invalid addresses
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Enable RFC-recommended source validation
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP redirects
net.ipv4.conf.all.accept_redirects = 0

While logging adds minimal overhead, consider these optimizations for high-traffic systems:

  • Use log rotation policies
  • Filter logs with rsyslog rules
  • Monitor log growth in /var/log

In Linux networking, "Martian packets" refer to IP packets that contain obviously invalid source addresses as defined by RFC 1812. These typically include:

  • Packets with source addresses in reserved IP ranges (e.g., 0.0.0.0, 127.0.0.0/8)
  • Packets claiming to originate from multicast addresses (224.0.0.0/4)
  • Packets from your own network appearing on external interfaces

While not direct attacks themselves, Martian packets often indicate:

# Common scenarios where logging helps:
1. Misconfigured network equipment
2. Spoofing attempts (DDoS precursors)
3. Rogue devices on your network
4. Faulty network drivers/hardware

The recommended sysctl configuration includes:

# Enable Martian logging globally
net.ipv4.conf.all.log_martians = 1

# Enable for specific interfaces (e.g., eth0)
net.ipv4.conf.eth0.log_martians = 1

# Additional protection against ICMP abuse
net.ipv4.icmp_ignore_bogus_error_responses = 1

Sample kernel log entries you might see:

kernel: martian source 192.168.1.1 from 10.0.0.1, on dev eth0
kernel: martian source 127.0.0.1 from 203.0.113.5, on dev eth1

These would appear in /var/log/kern.log or journalctl -k depending on your distro.

For high-security environments, consider combining with:

# Enable reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Log AND drop Martian packets
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

If you encounter legitimate traffic being flagged:

  1. Verify your network topology and routing tables
  2. Check for asymmetric routing paths
  3. Review any VPN or tunneling configurations

For persistent false positives, you can adjust logging per-interface rather than disabling it completely.