I just got a report from our security scan company that we failed our quarterly audit because:
Category: Denial of Service
Summary: Sends a TCP packet from a multicast address
Your machine answers to TCP packets that are coming from a multicast
address. This is known as the 'spank' denial of service attack.
An attacker might use this flaw to shut down this server and
saturate your network, thus preventing you from working properly.
This also could be used to run stealth scans against your machine.
Solution : contact your operating system vendor for a patch.
Filter out multicast addresses (220.127.116.11/4)
Do I just need to put a statement in my outside interface access-list denying this? I'm not sure why I would need this since there is supposed to be an explicit deny all at the end of every access-list. Is that not correct?
I'm running an ASA 5510