I saw a very odd looking IP in Avast!'s firewall a few days ago and while using trace it was in the middle of the ocean with the title MULTICAST. There was no information about it and the program that was using it was a normal windows file. Is this normal or is it something I should care about? I’ve also noticed a few blocked IP’s in Avasts! firewall with a MULTICAST name on them.
Read about Multicast and how it is being used here: http://www.tldp.org/HOWTO/Multicast-HOWTO-2.html
and via: http://en.wikipedia.org/wiki/Multicast
It goe somewhat like “Knock, knock, anybody home?”
The address is a restricted one for this purpose…nothing to worry about - it takes care the network messages get neatly
where they ought to get…
MULTICAST groups
Group / Range Description / Use
224.0.0.251 Multicast DNS / Apple Bonjour
224.0.1.22 Service Location Protocol - Service Agent
224.0.1.35 Service Location Protocol - Directory Agent
224.0.1.60 HP Device Discovery
239.255.255.250 Universal Plug and Play (uPNP)
polonus
It’s used for live streaming video. A website with a live stream will send it to Multicast, and then Multicast sends it individual ISPs, and they send it to their customers.
I wondered what it was too. I kept seeing it popup in my firewall.
Yes, because it is 239.255.255.250 Universal Plug and Play (uPNP)
Here you can scan if you are vulnerable to attacks → http://www.rapid7.com/resources/free-security-software-downloads/universal-plug-and-play-jan-2013.jsp
A good online test here from Steve Gibson: http://www.grc.com/su/UPnP-Exposed.htm
My verdict was
THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!
(That’s good news!)
polonus
I wonder how safe it is to download and run these little programs?
I downloaded TDSSKILLER the other day an ran it. Then I checked connections in the firewall, and an application for Kaspersky Labs had been setup with rules to allow all connections.
How can we really know what kind of information is being sent to Kaspersky Labs?
Don’t worry too much, they have to think about their ongoing reputation and they have a code of honor also to uphold,. The Gibson one is really quite innocent. If you don’t feel happy about UPNP, just disable that service (or temporarily), see: http://www.forbes.com/sites/andygreenberg/2013/01/29/disable-a-protocol-called-upnp-on-your-router-now-to-avoid-a-serious-set-of-security-bugs/ (link article author Andy Greenberg)
specifically on your router: http://www.bleepingcomputer.com/forums/t/484280/disable-upnp-on-your-firewall-now/
polonus