[GRLUG] Rogue packet triggering reboot!
mikemol at gmail.com
Mon Oct 17 17:11:08 EDT 2016
On Monday, October 17, 2016 04:54:56 PM Adam Tauno Williams wrote:
> On Mon, 2016-10-17 at 14:52 -0500, L. V. Lammert wrote:
> > This SEEMS to indicate that a packet received on a public IF that has
> > no open ports triggered a reboot:
> > Oct 14 17:31:36 <machine> kernel: IPv4: martian source 184.108.40.206
> > from 220.127.116.11, on dev br3
> > Oct 14 17:31:36 <machine> kernel: ll header: 00000000: 00 e0 81 cd 21
> > b1 00 b0 c2 88 54 1c 08 00 ....!.....T...
> > Oct 14 17:31:44 <machine> systemd: Received SIGINT.
> > <reboot in process>
> A full EIGHT SECONDS later? I would not automatically correlate these
> two events.
> If the interface has no open ports why not discard all inbound traffic?
The "martian source" refers to a routing error.
Perhaps br3 is only for VMs, and has an interface on the VM host for routing
guest traffic out? A VM guest may be originating traffic using one of his public
IPs for a source address. Possibly as part of a NAT punching technique? Or
perhaps he assigned the public IP to the guest without informing the host that
that particular IP could be found there?
Oh, hey, looking up the WHOIS, now I know his first name! :P
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 455 bytes
Desc: This is a digitally signed message part.
More information about the grlug