Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Scan Nmap, Multicast Address

From: Özgüç Bayrak <ozguc.bayrak () eksen com>
Date: Thu, 5 Feb 2004 11:41:15 +0200
Hi,
When I checked my ACID logs, I saw an alert like this;

SCAN nmap TCP    230.242.34.196:48730 (Source IP)    xxx.xxx.xxx.xxx:34972
(Local IP)

I know that 230.242.34.196 is an multicast address. Is that true? 

The nslookup query is below


230.242.34.196

Server:  flag.ip4.int
Address:  198.32.4.13

196.34.242.230.in-addr.arpa     name =
reserved-multicast-range-NOT-delegated.ex
ample.com
230.in-addr.arpa        nameserver = flag.ep.net
230.in-addr.arpa        nameserver = dot.ep.net
dot.ep.net      internet address = 198.32.2.10
dot.ep.net      AAAA IPv6 address = 2001:478:6:0:230:48ff:fe22:6a29
dot.ep.net      AAAA IPv6 address = 3ffe:0:1:0:230:48ff:fe22:6a29
flag.ep.net     internet address = 198.32.4.13
flag.ep.net     AAAA IPv6 address = 3ffe:805:0:0:2d0:b7ff:fee8:c4d9

How does it happen? Is that spoofing? Is anybody have an idea? 
Thanks for reply...
 
Ozguc.
Previous By Date Next
Previous By Thread Next

Current thread: