Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Filter out multicast addresses (224.0.0.0/4)

I just got a report from our security scan company that we failed our quarterly audit because:

Category: Denial of Service

Title: spank.c

Summary: Sends a TCP packet from a multicast address

Description:

Your machine answers to TCP packets that are coming from a multicast

address. This is known as the 'spank' denial of service attack.

An attacker might use this flaw to shut down this server and

saturate your network, thus preventing you from working properly.

This also could be used to run stealth scans against your machine.

Solution : contact your operating system vendor for a patch.

Filter out multicast addresses (224.0.0.0/4)

Do I just need to put a statement in my outside interface access-list denying this? I'm not sure why I would need this since there is supposed to be an explicit deny all at the end of every access-list. Is that not correct?

I'm running an ASA 5510

4 REPLIES
New Member

Re: Filter out multicast addresses (224.0.0.0/4)

hi,

please try the command the below command to disable the Mutlicast in the firewall.

(config)# no multicast-routing.

Rgrds

Naveen

New Member

Re: Filter out multicast addresses (224.0.0.0/4)

Is multicasting on by default? I don't remember enabling it. Is there somewhere I can see if it is enabled? What affect would it have overall?

New Member

Re: Filter out multicast addresses (224.0.0.0/4)

I did this but I did multicast routing was not enabled. It did not fix my issue.

New Member

Re: Filter out multicast addresses (224.0.0.0/4)

If this happened to me, I would be asking for a lot more detail from the 'Security Company'.

Like proof of the device that responded to this Multicast packet, exactly which device responded.

I'd also ask them to run their test again, while you are monitoring event logs on the ASA.

The ASA will not allow any packets through a low security interface without an ACL, PERIOD!

2333
Views
0
Helpful
4
Replies