Filter out multicast addresses (224.0.0.0/4)

Unanswered Question
May 18th, 2009

I just got a report from our security scan company that we failed our quarterly audit because:

Category: Denial of Service

Title: spank.c

Summary: Sends a TCP packet from a multicast address

Description:

Your machine answers to TCP packets that are coming from a multicast

address. This is known as the 'spank' denial of service attack.

An attacker might use this flaw to shut down this server and

saturate your network, thus preventing you from working properly.

This also could be used to run stealth scans against your machine.

Solution : contact your operating system vendor for a patch.

Filter out multicast addresses (224.0.0.0/4)

Do I just need to put a statement in my outside interface access-list denying this? I'm not sure why I would need this since there is supposed to be an explicit deny all at the end of every access-list. Is that not correct?

I'm running an ASA 5510

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Naveen kumar Tue, 05/19/2009 - 22:58

hi,

please try the command the below command to disable the Mutlicast in the firewall.

(config)# no multicast-routing.

Rgrds

Naveen

qbakies11 Wed, 05/20/2009 - 09:13

Is multicasting on by default? I don't remember enabling it. Is there somewhere I can see if it is enabled? What affect would it have overall?

qbakies11 Wed, 05/20/2009 - 12:06

I did this but I did multicast routing was not enabled. It did not fix my issue.

handsy Wed, 05/20/2009 - 12:54

If this happened to me, I would be asking for a lot more detail from the 'Security Company'.

Like proof of the device that responded to this Multicast packet, exactly which device responded.

I'd also ask them to run their test again, while you are monitoring event logs on the ASA.

The ASA will not allow any packets through a low security interface without an ACL, PERIOD!

Actions

This Discussion