Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
494
Views
0
Helpful
2
Replies

Spoofed Multicast Addresses scanning ranges

dopenfield
Level 1
Level 1

‎11-10-2005 11:53 AM - edited ‎03-09-2019 01:00 PM

We have started logging scans to our network from apparently spoofed addresses in the Reserved for Multicast range (224.0.0.0 - 239.255.255.255).

It is a different source address each time and each scan targets a different range of our internal address space.

The PIX is denying these as spoofed addresses so they aren't actually getting in.

Coincidentally we started seeing these messages just after upgrading to 7.0(4).

Wondering if anyone else has seen this traffic pattern?

Labels:
0 Helpful
2 Replies 2

smahbub
Level 6
Level 6

‎11-16-2005 12:35 PM

If the source address is random and is chaging, it could be an reconnisance attack. Usually, multicast addresses cannot be a source address in an IP packet. Where are you seeing the messages and what messages are you seeing? Have you enabled "capture" on your PIX?

0 Helpful

dopenfield
Level 1
Level 1
In response to smahbub

‎11-16-2005 02:15 PM

We are still seeing this traffic at our Internet firewall, throughout the day.

The PIX is denying the traffic as a SPOOF.

I haven't tried capture yet.

Yes they are random source addresses in the multicast range. Yes, I understand this range should not be source addresses that is why I'm wondering if anyone else has seen this type of attack, this is the first I have every heard of this attack.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents