11-10-2005 11:53 AM - edited 03-09-2019 01:00 PM
We have started logging scans to our network from apparently spoofed addresses in the Reserved for Multicast range (224.0.0.0 - 239.255.255.255).
It is a different source address each time and each scan targets a different range of our internal address space.
The PIX is denying these as spoofed addresses so they aren't actually getting in.
Coincidentally we started seeing these messages just after upgrading to 7.0(4).
Wondering if anyone else has seen this traffic pattern?
11-16-2005 12:35 PM
If the source address is random and is chaging, it could be an reconnisance attack. Usually, multicast addresses cannot be a source address in an IP packet. Where are you seeing the messages and what messages are you seeing? Have you enabled "capture" on your PIX?
11-16-2005 02:15 PM
We are still seeing this traffic at our Internet firewall, throughout the day.
The PIX is denying the traffic as a SPOOF.
I haven't tried capture yet.
Yes they are random source addresses in the multicast range. Yes, I understand this range should not be source addresses that is why I'm wondering if anyone else has seen this type of attack, this is the first I have every heard of this attack.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: