3.2.4 Ensure suspicious packets are logged - net.ipv4.conf.default.log_martians


When enabled, this feature logs packets with un-routable source addresses to the kernel log.


Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system.


Run the following commands to set the active kernel parameters:

# sysctl -w net.ipv4.conf.all.log_martians=1
# sysctl -w net.ipv4.conf.default.log_martians=1
# sysctl -w net.ipv4.route.flush=1

/etc is stateless on Container-Optimized OS. Therefore, /etc cannot be used to make these changes persistent across reboots. The steps mentioned above needs to be performed after every boot.

See Also