Hello, i’ve recently installed CIS and after running it a few days with the default settings, i started tweaking the settings to increase security. Then i started receiving alerts about applications trying to access IP 224.0.1.60. Not knowing what this adress was, i blocked it and then searched for infomations. I found it’s a multicast adress used by HP devices (i have one on my LAN).
I’ve never heard of multicast adresses before, but if i understand correctly, those are somewhat local adresses as routers shouldn’t forward them to the web. So my question, should i add a network zone for the multicast adresses like i set one for my LAN and another for the local loopback and trust them using the wizard? In other words : are those multicast adresses safe and required?
BTW, is the range for those 224.0.0.0-224.0.1.255 ?
I have a network zone called Local Multicast. It contains 2 ranges:
IP In [224.0.0.0/224.0.0.255]
IP In [239.0.0.0/239.255.255.255]
I then have 2 global rules near the top of the list:
Allow IP In From In [Local Multicast] To Mark-PC Where Protocol Is Any
Allow IP Out From Mark-PC To In [Local Multicast] Where Protocol Is Any
First remember that multicast is not strictly local: it is restricted to some specific network or subnet, and it’s somewhat different, altough some router configurations could consider that the whole internet is the said network, and thus multicast to planet Mars.
Still strictly speaking, multicast as a whole is a potential security threat, and it it as such denied in most corporate networks (google, e.g., “cisco multicast”).
As a second remark, there’s no such thing as a global multicast, and multicast is made of a multitude of adresses, some of them reserved to networks one does not want to be talked of.
It is indirectly the situation of Bob; either one has a shared HP network printer, and if it is a real network printer, it has its own dedicated ip, either it is a basic printer accessible from the LAN: in both instances, there is no need of a dedicated multicast adress for this printer, and it can safely be denied.
The potential threat is there, outside of corporate network misuse or hacking, for the said printer to try to multicast to an external HP server.
More generally speaking, some home router configurations won’t allow you to connect if you don’t edict some broadcasting rules (e.g. mine won’t connect if i don’t make a svchost udp out rule to 255.255.255.255 destination port 67).
A similar situation can happen with some softwares and services: e.g. if you don’t disable xp upnp, you shall be asked by scvhost udp out to 239.255.255.250 destination port 1900 (and deny it).
Thanks brucine, this was especially insightful.
Yes, my printer has a local IP reserved by my D-Link router. OK, i’ll keep blocking those unless i need them for another application then.
mDNSresponder is the application that keeps trying to use this broadcast adress. I know HP printers use “bonjour” to make themselves visible on the network, but i don’t really need it as i know where it is located. I’ll try to turn the process off so it will stop asking for permission.
Thanks MSB too for the Multicast ranges.
BTW, i just checked my router and it has a checkbox to “'enable multicast streams” that’s currently unchecked so i was probably worriying for nothing.
EDIT : Oh, is there a rule for setting the status of the posts when they have been answered. I didn’t found it in the “forum policy” post.