cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3892
Views
0
Helpful
4
Replies

Filter out multicast addresses (224.0.0.0/4)

qbakies11
Level 1
Level 1

I just got a report from our security scan company that we failed our quarterly audit because:

Category: Denial of Service

Title: spank.c

Summary: Sends a TCP packet from a multicast address

Description:

Your machine answers to TCP packets that are coming from a multicast

address. This is known as the 'spank' denial of service attack.

An attacker might use this flaw to shut down this server and

saturate your network, thus preventing you from working properly.

This also could be used to run stealth scans against your machine.

Solution : contact your operating system vendor for a patch.

Filter out multicast addresses (224.0.0.0/4)

Do I just need to put a statement in my outside interface access-list denying this? I'm not sure why I would need this since there is supposed to be an explicit deny all at the end of every access-list. Is that not correct?

I'm running an ASA 5510

4 Replies 4

CSCO10905906
Level 1
Level 1

hi,

please try the command the below command to disable the Mutlicast in the firewall.

(config)# no multicast-routing.

Rgrds

Naveen

Is multicasting on by default? I don't remember enabling it. Is there somewhere I can see if it is enabled? What affect would it have overall?

I did this but I did multicast routing was not enabled. It did not fix my issue.

handsy
Level 1
Level 1

If this happened to me, I would be asking for a lot more detail from the 'Security Company'.

Like proof of the device that responded to this Multicast packet, exactly which device responded.

I'd also ask them to run their test again, while you are monitoring event logs on the ASA.

The ASA will not allow any packets through a low security interface without an ACL, PERIOD!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: