When using network scanning tools like AMD's Magic Packet Utility or Wireshark, you'll often encounter multicast IPs (224.0.0.22, 224.0.0.252, 239.255.255.250) even when scanning specific subnets. These aren't rogue devices but rather standard multicast groups:
224.0.0.22 - IGMPv3 (Internet Group Management Protocol)
224.0.0.252 - Link-local Multicast Name Resolution (LLMNR)
239.255.255.250 - Simple Service Discovery Protocol (SSDP)
IGMP (224.0.0.22): Core protocol for IPv4 multicast group management. Routers use this to discover multicast listeners.
LLMNR (224.0.0.252): Microsoft's protocol for hostname resolution when DNS fails. Example packet structure:
// Python LLMNR listener example
import socket
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.bind(('224.0.0.252', 5355))
while True:
data, addr = sock.recvfrom(1024)
print(f"LLMNR query from {addr}: {data.hex()}")
SSDP (239.255.255.250): Used by UPnP devices for discovery. Here's how to detect UPnP devices:
// Bash SSDP discovery
echo -ne "M-SEARCH * HTTP/1.1\r\nHost:239.255.255.250:1900\r\nST:upnp:rootdevice\r\nMan:\"ssdp:discover\"\r\nMX:3\r\n\r\n" | nc -u 239.255.255.250 1900
Wake-on-LAN tools often use low-level network scanning that captures all visible traffic, including multicast. This isn't a security concern but rather shows your tool is working at layer 2/3. To filter these out in Python:
# Python WOL scanner with multicast filter
from scapy.all import *
def wol_callback(pkt):
if not (pkt.haslayer(IP) and pkt[IP].dst.startswith('224.')):
print(f"Valid WOL target: {pkt[Ether].src}")
sniff(prn=wol_callback, filter="ether proto 0x0842", store=0)
While these are normal protocols, attackers can abuse them:
- LLMNR poisoning (respond to name resolution requests)
- SSDP reflection DDoS attacks
- IGMP flooding attacks
Example iptables rules to limit multicast impact:
# Limit IGMP traffic
iptables -A INPUT -d 224.0.0.22 -p igmp -m limit --limit 3/second -j ACCEPT
iptables -A INPUT -d 224.0.0.22 -j DROP
# Block external multicast
iptables -A INPUT -d 224.0.0.0/4 -i eth0 -j DROP
When using AMD's Magic Packet Utility for Wake-on-LAN (WoL) operations, you might encounter unexpected multicast IP addresses like these:
224.0.0.22 igmp.mcast.net 01-00-5e-00-00-16
224.0.0.252 *NameNotFound* 01-00-5e-00-00-fc
239.255.255.250 *NameNotFound* 01-00-5e-7f-ff-faThese addresses are actually standard multicast addresses used for various network protocols:
- 224.0.0.22: IGMPv3 (Internet Group Management Protocol)
- 224.0.0.252: Link-local Multicast Name Resolution (LLMNR)
- 239.255.255.250: Simple Service Discovery Protocol (SSDP)
Your network scanning tool likely picked these up because:
- They respond to certain network probes
- Some multicast traffic exists even outside your specified subnet
- The scanner may be detecting all active MAC addresses
Here's how to filter these in your WoL implementation (Python example):
import socket
import struct
def is_multicast(mac_address):
# Check if MAC is multicast (LSB of first byte set)
return bool(int(mac_address.split(':')[0], 16) & 0x01)
def is_wol_target(ip, mac):
multicast_ranges = [
('224.0.0.0', '224.0.0.255'), # Local network control block
('239.255.255.250', '239.255.255.250') # SSDP
]
ip_num = struct.unpack("!I", socket.inet_aton(ip))[0]
for start, end in multicast_ranges:
start_num = struct.unpack("!I", socket.inet_aton(start))[0]
end_num = struct.unpack("!I", socket.inet_aton(end))[0]
if start_num <= ip_num <= end_num:
return False
return not is_multicast(mac)These multicast addresses are completely normal and not security threats:
- They're part of standard network operations
- Most are link-local (won't route beyond your local network)
- They help with service discovery and network management
If you want to examine these packets more closely, here's a tcpdump filter:
tcpdump -i eth0 'ip multicast and (host 224.0.0.22 or host 224.0.0.252 or host 239.255.255.250)' -vOr for Wireshark filtering: ip.dst == 224.0.0.22 || ip.dst == 224.0.0.252 || ip.dst == 239.255.255.250