Ask a question by email +7 (495) 649-53-54
All payment methods
Image

Knowledge base → Log in dmesg icmp: ip Source Route Failed

[Virtual servers]
Date of publication: 22.05.2025

In the Linux log, when running the dmesg command, you may encounter events like these:

icmp6_send: no reply to icmp error
icmp6_send: no reply to icmp error
icmp6_send: no reply to icmp error
icmp: xxx.xx.xxx.xx: Source Route Failed
icmp: xxx.xx.xxx.xx: Source Route Failed
icmp: xxx.xx.xxx.xx: Source Route Failed

1. icmp6_send: no reply to icmp error

The operating system attempted to send an ICMPv6 error message (e.g., "Destination Unreachable," "Time Exceeded," etc.), but received no response.

In most cases, this is due to the error message being blocked by a firewall.

2. icmp: xxx.xx.xxx.xx: Source Route Failed

The node xxx.xx.xxx.xx (a router or host) attempted to use source routing (specifying the route in the IP packet header), but it failed.

Source routing is considered a vulnerability and is typically disabled in modern operating systems and network devices.

3. Causes

  • Attempted attack using source routing (e.g., spoofing).
  • Network scanning (e.g., via traceroute with the source route option).

4. Conclusion and Actions

4.1 For icmp6_send: no reply to icmp error

Check the IPv6 protocol settings and functionality, for example, using ping6. You can also set IPv6 traffic limits in the iptables firewall:

iptables -A INPUT -p ipv6-icmp -m limit --limit 80/sec --limit-burst 80 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp6-adm-prohibited

If limits are already set, the message indicates an attempt to exceed them, serving as a notification.

4.2 For icmp: xxx.xx.xxx.xx: Source Route Failed

Ensure source routing is disabled by running:

sysctl net.ipv4.conf.all.accept_source_route

The response should be 0 (net.ipv4.conf.all.accept_source_route = 0).

Check the logs for suspicious activity from the IP xxx.xx.xxx.xx—it is likely a scanner or malicious actor.

In general, no action is required, and the message is merely a notification.

5. Additional Steps (Optional)

5.1 Block the IP

You can block the IP address, but attackers often have entire subnets, so this may be ineffective. The measures above are usually sufficient, but if desired, you can block it like this:

iptables -A INPUT -s xxx.xx.xxx.xx -j DROP

5.2 Enable Logging

iptables -A INPUT -m policy --pol ipsec --dir in -j ACCEPT
iptables -A INPUT -m rt --rt-type 0 -j LOG --log-prefix "SRC ROUTE ATTEMPT: "
iptables -A INPUT -m rt --rt-type 0 -j DROP

Entries about attempts will appear in the /var/log/syslog file.

5.3 Check Settings on All Interfaces

sysctl -a | grep accept_source_route

The output should look something like this for IPv4:

net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0

And similarly for IPv6:

net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv6.conf.eth0.accept_source_route = 0

Note that the last two commands for IPv6 and IPv4 use eth0—your network interface name may differ. You can check it with the ifconfig or ip link show (ip l) commands.

5.4 Modify sysctl Settings

To make changes to the operating system settings and persist them after a reboot, edit the /etc/sysctl.conf file. To apply the changes, use:

sysctl -p

In this case, the lines in the file will look like this:

net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0



No Comments Yet

Professional hosting LLC "SYNAY"

from 2009 to  in the market of telecommunication services

Image
Support +7 (495) 649-53-54