Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Spoofed Multicast Addresses scanning ranges

We have started logging scans to our network from apparently spoofed addresses in the Reserved for Multicast range (224.0.0.0 - 239.255.255.255).

It is a different source address each time and each scan targets a different range of our internal address space.

The PIX is denying these as spoofed addresses so they aren't actually getting in.

Coincidentally we started seeing these messages just after upgrading to 7.0(4).

Wondering if anyone else has seen this traffic pattern?

2 REPLIES
Silver

Re: Spoofed Multicast Addresses scanning ranges

If the source address is random and is chaging, it could be an reconnisance attack. Usually, multicast addresses cannot be a source address in an IP packet. Where are you seeing the messages and what messages are you seeing? Have you enabled "capture" on your PIX?

New Member

Re: Spoofed Multicast Addresses scanning ranges

We are still seeing this traffic at our Internet firewall, throughout the day.

The PIX is denying the traffic as a SPOOF.

I haven't tried capture yet.

Yes they are random source addresses in the multicast range. Yes, I understand this range should not be source addresses that is why I'm wondering if anyone else has seen this type of attack, this is the first I have every heard of this attack.

306
Views
0
Helpful
2
Replies
CreatePlease to create content